How to Manage CAA Records

Adding a domain you own to your DigitalOcean account lets you manage the domain’s DNS records with the control panel and API. Domains you manage on DigitalOcean integrate with DigitalOcean Load Balancers and Spaces to streamline automatic SSL certificate management.


Certificate Authority Authorization (CAA) is a standard designed to prevent bad actors from creating unauthorized SSL/TLS certificates. CAA records specify which Certificate Authorities (CAs) can issue certificates for your domain.

Like other types of DNS records, CAA records can apply to an entire domain (like example.com) or to specific subdomains (like assets.example.com).

To allow multiple CAs to issue certificates, each requires its own record.

Create a CAA Record

To create a CAA record from the control panel, in the left menu, click Networking and then click the Domains tab. From the Domains tab, click the domain you want to add the record to. From the domain’s page, under the Create new record header, click CAA. The CAA tab contains the fields you need to add CAA records.

A screenshot of the DNS control panel displaying the configuration of a CAA record.

In the HOSTNAME field, enter the hostname you want the record to apply to, such as the root domain (@) or a subdomain like www.example.com. In the TTL field, enter the number of seconds that you would like DNS resolvers to cache the record for. We recommend a value between 3600 (1 hour) and 86400 (24 hours) for most records as this allows for caching while still refreshing records regularly.

Once you’ve entered those values, review the following sections to input values for the AUTHORITY GRANTED FOR, TAG, and FLAG fields.

Tags

Tags define the type of CAA record you are creating. There are three types of CAA records:

  • issue authorizes a single CA to issue any type of certificate for a specific hostname.
  • issuewild authorizes a single CA to issue wildcard certificates for a hostname. For example, if you set this tag for the hostname example.com, your CA can issue certificates for example.com and any potential subdomains, such as support.example.com.
  • iodef defines a URL or mailto URI where a CA can report policy violations. Each contact URL requires its own record.

Select a CAA record type from the TAG field. The tag value determines what value you can enter in to the Authority Granted For field.

Authority Granted For

The AUTHORITY GRANTED FOR field defines the CA or contact URL that corresponds to the selected tag value.

If you selected the issue or issuewild tag, enter the domain name of the CA you want to authorize, such as letsencrypt.org. If you selected the iodef tag, enter a URL or mailto URI to define where CAs should report policy violations, such as mailto:[email protected].

Flags

Flags are unsigned integers between 0 and 255. Currently this field is used to set an issuer critical flag, which specifies how a CA should behave when it encounters a tag it doesn’t understand. The default flag is 0, which indicates that the record is non-critical and doesn’t require any special processing by CAs. However, if the flag is set to 128, it indicates that the CAA record’s tag is critical, and any CA that does not understand the tag should not issue a certificate.

For most CAA records, this field can be set to 0.

Once you’ve filled out all the fields, click Create Record to add the CAA record to your domain’s DNS configuration.

Note

DigitalOcean DNS does not support the following CAA standard features:

  • Blocking anyone from issuing certificates by sending a semicolon (;) as the value
  • Allowing name-value tags after the CA name, for example: letsencrypt.org; abc=cde