CAA Record Generator

Generate CAA (Certificate Authority Authorization) DNS records for your domain. Specify which CAs are allowed to issue regular and wildcard certificates, add a violation-report endpoint, and get copy-ready zone-file lines — all without learning the RFC 8659 flag-and-tag syntax.

How to use the CAA Record Generator

Enter your domain name (e.g., example.com). The trailing dot in the zone-file output is added automatically.

In Allowed CAs for standard certificates list the CA domains that are permitted to issue certificates for your domain — one per line. Common values: letsencrypt.org, pki.goog (Google Trust Services), digicert.com, sectigo.com, amazon.com (AWS ACM). Each CA you list generates an issue record. If you leave this blank and check Disallow ALL, a single issue ";" record is emitted instead, instructing CAs not to issue any certificate for the domain.

The wildcard field accepts the same format and generates issuewild records. If left blank, the issue policy also covers wildcards by default. Enter a single ; to explicitly block wildcard issuance even if issue allows regular certificates.

The iodef field should be a mailto: or https: URI where CAs send violation reports when a request violates your CAA policy. It is optional but strongly recommended. The flags value is always 0 — the only defined non-zero flag (128 = critical) is not needed for standard policy enforcement.

What is a CAA DNS record?

CAA (Certificate Authority Authorization) is a DNS record type (RFC 8659, formerly RFC 6844) that lets domain owners publish a list of certificate authorities (CAs) that are permitted to issue TLS certificates for their domain. When a CA receives a certificate signing request, it must check for CAA records and refuse to issue if the policy does not authorize it. This provides a defense-in-depth layer against misissuance — even if an attacker can fool a CA's domain-control validation, the CA is bound by CAA to refuse the request if it is not listed.

A CAA record has three fields: a flag (almost always 0), a tag, and a value. The three standard tags are: issue (authorizes a CA to issue single-domain and multi-SAN certificates), issuewild (authorizes a CA to issue wildcard certificates — overrides issue for wildcards when present), and iodef (a URI where CAs send policy violation reports). A flag of 128 makes the record "critical" — a CA that does not understand it must refuse issuance — but this is rarely used in practice. Multiple issue records are allowed and act as a union: any listed CA is permitted.

CAA records are inherited down the DNS tree: a record on example.com covers sub.example.com unless the subdomain has its own CAA records. An empty or absent CAA record permits any CA to issue. For maximum security, add CAA records to every domain and subdomain that receives TLS certificates, explicitly listing only the CAs you actually use. Pair this with monitoring services like DNS record inspection to verify records are in place.

Common use cases

• Restricting to a single CA — If you use only Let’s Encrypt, a CAA record prevents any other CA from issuing a certificate for your domain, even through social-engineering attacks.
• Blocking wildcard issuance — Allow standard certificates broadly but restrict wildcard certs to only the CA your DevOps team controls.
• Misissuance reporting — The iodef tag gives you a heads-up when a CA receives a request for your domain that violates your policy — an early warning of phishing or supply-chain attacks.
• Compliance — PCI DSS v4.0 and various cloud-security frameworks recommend CAA records as a TLS certificate governance control.
• Multi-provider environments — List multiple CAs (e.g., Let’s Encrypt for auto-renewing certs plus DigiCert for EV certificates) to give your team flexibility without opening the door to all CAs.