What is a CAA record?

A CAA (Certification Authority Authorization) record is a DNS entry that lists which certificate authorities are allowed to issue TLS certificates for your domain. Public CAs are required by the CA/Browser Forum Baseline Requirements to check CAA before issuance.

Does CAA prevent compromise?

No. CAA narrows which CAs can issue for your domain, but it does not stop an attacker who already controls an account at an allowlisted CA or who can hijack domain validation. Treat it as one layer alongside DNSSEC, account hardening, and certificate transparency monitoring.

Can I have multiple CAA records?

Yes. Add one record per allowed CA using the issue tag, plus issuewild for wildcards. You can also add an iodef record so CAs can report attempted violations to a monitored mailbox or URL.

TLS / HTTPS

How to add CAA DNS records (allowlist trusted CAs)

Name: Barrion
Availability: InStock
Author: Barrion

Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.

What it is

A CAA (Certification Authority Authorization) record is a DNS entry that names the certificate authorities allowed to issue TLS certificates for your domain. Public CAs are required to check CAA before issuing, so a record acts as a hard allowlist at the DNS layer.

Why it matters

Without CAA, any public CA can issue a certificate for your domain if an attacker convinces the CA they control it. Publishing CAA pins issuance to the providers you actually use, which limits the blast radius of a compromised account or a tricked validation check.

How it is exploited

With no CAA record on the domain, any public CA in the browser trust store is free to issue a certificate for your name. An attacker who controls an upstream CA account, or who tricks a CA's domain validation through a BGP hijack or a misconfigured reseller, can mint a trusted certificate for your hostname. They then present that cert from a man-in-the-middle position and intercept traffic from users whose browsers happily trust the new chain.

How to fix it

List the CAs you actually use. Inventory every CA that issues for your apex and subdomains today (e.g. Let's Encrypt, DigiCert, Google Trust Services). Include any provider that issues on your behalf, such as a CDN or load balancer that fronts your traffic.
Publish issue and issuewild records. Add CAA records on the apex naming each allowed CA. Use the issue tag for standard certificates and issuewild for wildcards. Set value 0 issue ";" for tags you want to forbid entirely.
Add an iodef contact. Include an iodef record pointing at a monitored mailbox or URL so CAs can report attempted violations to you. Route this to the same alias your security team already watches.
Verify the records. Query CAA with dig or Barrion's CAA check from a few resolvers and confirm the records propagate. Re-test after any DNS migration or CA change so the allowlist stays accurate.

Examples by platform

DNS zone file

example.com. IN CAA 0 issue "letsencrypt.org"

References

Frequently asked questions

What is a CAA record?: A CAA (Certification Authority Authorization) record is a DNS entry that lists which certificate authorities are allowed to issue TLS certificates for your domain. Public CAs are required by the CA/Browser Forum Baseline Requirements to check CAA before issuance.
Does CAA prevent compromise?: No. CAA narrows which CAs can issue for your domain, but it does not stop an attacker who already controls an account at an allowlisted CA or who can hijack domain validation. Treat it as one layer alongside DNSSEC, account hardening, and certificate transparency monitoring.
Can I have multiple CAA records?: Yes. Add one record per allowed CA using the issue tag, plus issuewild for wildcards. You can also add an iodef record so CAs can report attempted violations to a monitored mailbox or URL.

Check your site for this finding.

Run Barrion's free tls / https check to see if this applies to your app, with a full report and remediation steps.

Run free check →All fix guides