ToolBelt

CAA Record Builder

Compose CAA DNS records (issue, issuewild, iodef).

Open tool

Overview

The CAA Record Builder generates DNS Certification Authority Authorization records — the rows you publish at your zone apex to control which certificate authorities are allowed to issue TLS certificates for your domain. It outputs ready-to-paste issue, issuewild, and iodef lines along with the precise BIND-style format most DNS providers accept.

This is what you reach for when locking down certificate issuance to a single CA, adding a new ACME-friendly issuer, or learning how to set up CAA DNS records for letsencrypt or how to restrict wildcard certificate issuance. Useful for security engineers, devops, and anyone hardening a domain after a phishing or mis-issuance incident.

How it works

CAA records are defined in RFC 8659 and consist of three fields: a flag byte (typically 0; 128 marks the record as critical), a tag (issue, issuewild, or iodef), and a value. issue permits the named CA to mint any certificate; issuewild controls wildcards; iodef points to a contact URL (mailto: or https:) for reporting violations.

Before issuing a cert, a compliant CA must check the CAA record at the requested name and walk up the DNS tree if none is present, refusing issuance if no matching issue line is found. An empty value (";") explicitly denies all CAs.

Examples

  • 0 issue "letsencrypt.org" — only Let's Encrypt may issue non-wildcard certs.
  • 0 issuewild "letsencrypt.org" — only Let's Encrypt may issue wildcard certs.
  • 0 iodef "mailto:security@example.com" — CAs report policy violations to this address.
  • 0 issue ";" — no CA may issue certificates for this name.

FAQ

Where do I publish CAA records?

At the apex of your zone (example.com) and any subdomain you want to override. CAs walk the DNS hierarchy upward, so a record at the apex covers every subdomain unless overridden.

Will CAA stop someone who already has a private key?

No. CAA only restricts new issuance. It does not affect already-issued certificates, which is why you should also rotate keys after a CA policy change.

Do I need an iodef record?

It is optional but useful — it gives compliant CAs a contact when they detect a policy violation, so you hear about attempted mis-issuance.

Can I list multiple CAs?

Yes. Publish one issue record per allowed CA. CAA is additive: any matching issue permits issuance for the listed authority.

Try CAA Record Builder

An unhandled error has occurred. Reload ×