CAA (Certification Authority Authorization) records are DNS records that allow a Certificate Authority (a party that issues SSL certificates) to verify whether it is allowed to issue a certificate for your domain. In addition, browsers can check whether the certificate that your domain provides is actually allowed to work for your domain. This makes abuse by sites with HTTPS less easy.

The CAA record

A DNS record with type CAA consists of three things

  • A flag indicating whether the record is to be applied strictly or not. 0 is not strict, 1 is strict.
  • A property tag that indicates the role of this record
  • The actual content of the CAA record

There are three property tags

  • issue - indicates whether a CA may issue a certificate
  • issuewild - indicates whether a CA is allowed to issue a certificate that works as a wildcard.
  • Periodf - who should be emailed if a breach of the CAA record occurs.

The CAA part of a zone can therefore contain several records. An example is given below. CAA 0 issue "" CAA 0 issuewild ";" CAA 0 iodef ""

In the above example CA may issue Comodo certificates. No CA has been entered as a wildcard and in the event of violations, will be emailed.

At Savvii
You don't set a CAA record at Savvii. You set this up with the party that manages your DNS. There is no need to create a separate CAA record for subdomains.

The content of your CAA record depends on the suppliers of your certificates. If you take a paid certificate from Savvii (DV, WC or EV), it will be issued by Comodo and you will need to set up "" in case of issue. Savvii also automatically creates certificates of Let's Encrypt. To do this, use the issue "". If necessary, you can also add your own suppliers for certificates. Don't have your own suppliers? Then the following example is a safe set to write down. Please note that you will only use the issue game if you are actually going to order such certificates! CAA 0 issue "" CAA 0 issue "" CAA 0 issuewild ";" CAA 0 iodef ""