CAA Record Generator

By SSLMate

CAA is a type of DNS record that lets you control which certificate authorities can issue certificates for your domain. Enter your domain name, check off the certificate authorities that you authorize, and publish the generated DNS records. You can separately authorize the ability to issue wildcard and non-wildcard certificates.

Note that some certificate authorities do not respect CAA records and therefore cannot be unchecked.

Not all CAs are listed yet. Please open an issue if you know whether an unlisted CA supports CAA or not.

Type of certificate
Non-Wildcard Wildcard
Amazon Does not respect CAA
Certum Does not respect CAA
DFN-PKI Does not respect CAA
D-Trust Does not respect CAA
GlobalSign Does not respect CAA
GoDaddy Starfield Technologies Does not respect CAA
Let's Encrypt
QuoVadis Does not respect CAA
StartCom Does not respect CAA
Symantec GeoTrust, Thawte, RapidSSL
T-TeleSec Does not respect CAA
Trustwave Does not respect CAA


Standard BIND Zone File

For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0


Legacy Zone File (RFC 3597 Syntax)

For BIND <9.9.6, NSD <4.0.1





For Google Cloud DNS, DNSimple

    What is CAA?

    CAA is a standard that lets you control what certificate authorities (CAs) are allowed to issue certificates for your domain. You can use CAA to reduce your exposure to vulnerabilities in certificate authority validation systems and to enforce certificate procurement policies.

    To use CAA, you publish a set of CAA records in your domain's DNS that list the CAs which you authorize to issue certificates. Before issuing a certificate, the CA checks your CAA records and blocks the request if they are not listed.

    This page helps you set up CAA for your domain. Enter your domain name above and check off which CAs you authorize. You can separately authorize the ability to issue wildcard and non-wildcard certificates.

    Who Supports CAA?

    The following CAs respect CAA records. "Hard" means the CA rejects requests that don't comply with the CAA records. "Soft" means they may issue non-compliant certificates after further review.

    • Comodo (soft)
    • DigiCert (soft)
    • Entrust (soft)
    • Izenpe (soft)
    • Let's Encrypt (hard)
    • Symantec/GeoTrust/Thawte (unknown policy)

    The following DNS server software supports CAA records:

    • BIND (Prior to version 9.9.6 use RFC 3597 syntax)
    • NSD (Prior to version 4.0.1 use RFC 3597 syntax)
    • PowerDNS ≥4.0.0
    • Knot DNS ≥2.2.0
    • Simple DNS Plus ≥6.0
    • Windows Server 2016 (use RFC 3597 syntax)
    • tinydns (use generic record syntax)
    • ldns ≥1.6.17
    • OpenDNSSEC (with ldns ≥1.6.17)

    The following DNS services support CAA records:

    • Google Cloud DNS (but not Google Domains DNS)
    • DNSimple
    • DNS Made Easy
    • Constellix DNS
    • Cloudflare (in beta; ask support to enable)
    • Dyn Managed DNS
    • ClouDNS
    • Free DNS
    • Neustar UltraDNS

    Please open an issue if you have an addition to this list.