CAA is a type of DNS record that lets you control which certificate authorities can issue certificates for your domain. Enter your domain name, check off the certificate authorities that you authorize, and publish the generated DNS records. You can separately authorize the ability to issue wildcard and non-wildcard certificates.
Note that some certificate authorities do not respect CAA records and therefore cannot be unchecked.
Not all CAs are listed yet. Please open an issue if you know whether an unlisted CA supports CAA or not.
For BIND ≥9.9.6, PowerDNS ≥4.0.0, NSD ≥4.0.1, Knot DNS ≥2.2.0
For BIND <9.9.6, NSD <4.0.1
For Google Cloud DNS, DNSimple
CAA is a standard that lets you control what certificate authorities (CAs) are allowed to issue certificates for your domain. You can use CAA to reduce your exposure to vulnerabilities in certificate authority validation systems and to enforce certificate procurement policies.
To use CAA, you publish a set of CAA records in your domain's DNS that list the CAs which you authorize to issue certificates. Before issuing a certificate, the CA checks your CAA records and blocks the request if they are not listed.
This page helps you set up CAA for your domain. Enter your domain name above and check off which CAs you authorize. You can separately authorize the ability to issue wildcard and non-wildcard certificates.
The following CAs respect CAA records. "Hard" means the CA rejects requests that don't comply with the CAA records. "Soft" means they may issue non-compliant certificates after further review.
The following DNS server software supports CAA records:
The following DNS services support CAA records:
Please open an issue if you have an addition to this list.