CAA Record Generator

By SSLMate

CAA is a type of DNS record that lets you control which certificate authorities can issue certificates for your domain. Enter your domain name, check off the certificate authorities that you authorize, and publish the generated DNS records. You can separately authorize the ability to issue wildcard and non-wildcard certificates.

Note that some certificate authorities do not respect CAA records and therefore cannot be unchecked.

Not all CAs are listed yet. Please open an issue if you know whether an unlisted CA supports CAA or not.

Type of certificate
Non-Wildcard Wildcard
Amazon Does not respect CAA
Certum Does not respect CAA
Comodo
D-Trust Does not respect CAA
DigiCert
Entrust
GeoTrust Symantec
GlobalSign Does not respect CAA
GoDaddy Does not respect CAA
Izenpe
Let's Encrypt
QuoVadis Does not respect CAA
Starfield GoDaddy Does not respect CAA
StartCom WoSign Does not respect CAA
Symantec
T-Telesec Does not respect CAA
Thawte Symantec
Trustwave Does not respect CAA
WoSign

(optional)

Standard BIND Zone File

For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0


					

Legacy Zone File (RFC 3597 Syntax)

For BIND <9.9.6, NSD <4.0.1


					

tinydns


					

Generic

For Google Cloud DNS, DNSimple

    What is CAA?

    CAA is a standard that lets you control what certificate authorities (CAs) are allowed to issue certificates for your domain. You can use CAA to reduce your exposure to vulnerabilities in certificate authority validation systems and to enforce certificate procurement policies.

    To use CAA, you publish a set of CAA records in your domain's DNS that list the CAs which you authorize to issue certificates. Before issuing a certificate, the CA checks your CAA records and blocks the request if they are not listed.

    This page helps you set up CAA for your domain. Enter your domain name above and check off which CAs you authorize. You can separately authorize the ability to issue wildcard and non-wildcard certificates.

    Who Supports CAA?

    The following CAs respect CAA records. "Hard" means the CA rejects requests that don't comply with the CAA records. "Soft" means they may issue non-compliant certificates after further review.

    • Comodo (soft)
    • DigiCert (soft)
    • Entrust (soft)
    • Izenpe (soft)
    • Let's Encrypt (hard)
    • Symantec/GeoTrust/Thawte (unknown policy)

    The following DNS server software supports CAA records:

    • BIND (Prior to version 9.9.6 use RFC 3597 syntax)
    • NSD (Prior to version 4.0.1 use RFC 3597 syntax)
    • PowerDNS ≥4.0.0
    • Knot DNS ≥2.2.0
    • Simple DNS Plus ≥6.0
    • Windows Server 2016 (use RFC 3597 syntax)
    • tinydns (use generic record syntax)
    • ldns ≥1.6.17
    • OpenDNSSEC (with ldns ≥1.6.17)

    The following DNS services support CAA records:

    • Google Cloud DNS (but not Google Domains DNS)
    • DNSimple
    • DNS Made Easy
    • Constellix DNS

    Please open an issue if you have an addition to this list.