CAA Record Generator

By SSLMate

CAA is a type of DNS record that lets you control which certificate authorities can issue certificates for your domain. Enter your domain name, check off the certificate authorities that you authorize, and publish the generated DNS records. You can separately authorize the ability to issue wildcard and non-wildcard certificates.

Starting September 8, 2017, all publicly-trusted CAs will be required to respect CAA records. Until then, only the CAs listed below are known to respect CAA records, and other CAs may issue certificates regardless of a domain's CAA records. Please open an issue if you know of an unlisted CA that already supports CAA.

Type of certificate
Non-Wildcard Wildcard
Comodo
DigiCert
Entrust
GlobalSign
Izenpe
Let's Encrypt
Symantec GeoTrust, Thawte, RapidSSL
WoSign

(optional)

Standard BIND Zone File

For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0


					

Legacy Zone File (RFC 3597 Syntax)

For BIND <9.9.6, NSD <4.0.1


					

tinydns


					

Generic

For Google Cloud DNS, DNSimple

    What is CAA?

    CAA is a standard that lets you control what certificate authorities (CAs) are allowed to issue certificates for your domain. You can use CAA to reduce your exposure to vulnerabilities in certificate authority validation systems and to enforce certificate procurement policies.

    To use CAA, you publish a set of CAA records in your domain's DNS that list the CAs which you authorize to issue certificates. Before issuing a certificate, the CA checks your CAA records and blocks the request if they are not listed.

    This page helps you set up CAA for your domain. Enter your domain name above and check off which CAs you authorize. You can separately authorize the ability to issue wildcard and non-wildcard certificates.

    Who Supports CAA?

    The following DNS server software supports CAA records:

    • BIND (Prior to version 9.9.6 use RFC 3597 syntax)
    • NSD (Prior to version 4.0.1 use RFC 3597 syntax)
    • PowerDNS ≥4.0.0
    • Knot DNS ≥2.2.0
    • Simple DNS Plus ≥6.0
    • Windows Server 2016 (use RFC 3597 syntax)
    • tinydns (use generic record syntax)
    • ldns ≥1.6.17
    • OpenDNSSEC (with ldns ≥1.6.17)

    The following DNS services support CAA records:

    • Google Cloud DNS (but not Google Domains DNS)
    • DNSimple
    • DNS Made Easy
    • Constellix DNS
    • Cloudflare (in beta; ask support to enable)
    • Dyn Managed DNS
    • ClouDNS
    • Afraid.org Free DNS
    • Neustar UltraDNS
    • Gandi
    • Domeneshop (Domainnameshop)
    • Hurricane Electric Free DNS
    • BuddyNS

    Please open an issue if you have an addition to this list.