# How to Manage CAA Records Adding a domain you own to your DigitalOcean account lets you manage the domain’s DNS records with the control panel and API. Domains you manage on DigitalOcean integrate with DigitalOcean Load Balancers and Spaces to streamline automatic SSL certificate management. Certificate Authority Authorization (CAA) is a standard designed to prevent bad actors from creating unauthorized SSL/TLS certificates. CAA records specify which Certificate Authorities (CAs) can issue certificates for your domain. Like other types of DNS records, CAA records can apply to an entire domain (like `example.com`) or to specific subdomains (like `assets.example.com`). To allow multiple CAs to issue certificates, each requires its own record. ## Create a CAA Record To create a CAA record from the [control panel](https://cloud.digitalocean.com), in the left menu, click **Networking** and then click the **Domains** tab. From the **Domains** tab, click the domain you want to add the record to. From the domain’s page click **Create a record** then under **Record Type** select **CAA**. The window updates with the fields you need to add CAA records. In the **Hostname** field, enter the hostname you want the record to apply to, such as the root domain (`@`) or a subdomain like `www.example.com`. In the **TTL** field, enter the number of seconds that you would like DNS resolvers to cache the record for. We recommend a value between 3,600 (1 hour) and 86,400 (24 hours) for most records as this allows for caching while still refreshing records regularly. Once you’ve entered those values, review the following sections to input values for the **Authority granted for**, **Tag**, and \**Flags* fields. ### Tags Tags define the type of CAA record you are creating. There are three types of CAA records: - `issue` authorizes a single CA to issue any type of certificate for a specific hostname. - `issuewild` authorizes a single CA to issue wildcard certificates for a hostname. For example, if you set this tag for the hostname `example.com`, your CA can issue certificates for `example.com` and any potential subdomains, such as `support.example.com`. - `iodef` defines a URL or `mailto` URI where a CA can report policy violations. Each contact URL requires its own record. Select a CAA record type from the **Tag** field. The tag value determines what value you can enter in to the **Authority granted for** field. ### Authority Granted For The **Authority granted for** field defines the CA or contact URL that corresponds to the selected tag value. If you selected the `issue` or `issuewild` tag, enter the domain name of the CA you want to authorize, such as `letsencrypt.org`. If you selected the `iodef` tag, enter a URL or `mailto` URI to define where CAs should report policy violations, such as `mailto:caa-contact@example.com`. ### Flags Flags are unsigned integers between 0 and 255. Currently this field is used to set an issuer critical flag, which specifies how a CA should behave when it encounters a tag it doesn’t understand. The default flag is `0`, which indicates that the record is non-critical and doesn’t require any special processing by CAs. However, if the flag is set to `128`, it indicates that the CAA record’s tag is critical, and any CA that does not understand the tag should not issue a certificate. For most CAA records, this field can be set to `0`. Once you’ve filled out all the fields, click **Create Record** to add the CAA record to your domain’s DNS configuration. **Note**: DigitalOcean DNS does not support the following CAA standard features: - Blocking anyone from issuing certificates by sending a semicolon (`;`) as the value - Allowing name-value tags after the CA name, for example: `letsencrypt.org; abc=cde`