Skip to main content

Using the CAA Record Generator

The CAA Generator creates example DNS CAA (Certificate Authority Authorization) record entries based on the certificate currently in use on a specified domain. CAA records specify which Certificate Authorities are authorized to issue certificates for your domain.

cert-using-the-caa-generator.png

What Are CAA Records?

CAA records are DNS records that specify which Certificate Authorities can issue certificates for your domain. When a CA receives a certificate request, it checks for CAA records and will only issue the certificate if authorized. This prevents unauthorized certificate issuance and adds security against mis-issued certificates.

How to Use the CAA Generator

Navigate to Certificate Monitoring ➡️ Tools ➡️ CAA Generator. Enter a domain name and click Generate CAA. The tool connects to the domain, retrieves the current certificate, identifies the issuing Certificate Authority, and generates example CAA record entries.

The tool provides two output formats:

  • Generic DNS Providers - For Google Cloud DNS, Route 53, DNSimple, and other hosted services
  • Standard Zone File - For BIND, PowerDNS, NSD, Knot DNS, and similar DNS servers

CAA Record Types

Generated records include:

  • issue - Specifies which CA can issue standard certificates for the domain
  • iodef - Optional email address or URL for reporting certificate violations

Adding CAA Records to Your DNS

Copy the appropriate record format for your DNS provider and add it to your domain's DNS zone. Most hosted DNS services have a CAA record type option in their interface. For zone file-based DNS servers, add the records to your zone file and reload the configuration.

After adding CAA records, verify them using DNS lookup tools. Records should propagate within minutes to hours depending on your DNS provider and TTL settings.

Important Limitations

info

The CAA Generator provides a best estimate based on the current certificate and known Certificate Authority data. Results may not be 100% accurate. Always verify the generated records match your certificate issuer and requirements before adding them to production DNS.

The tool analyzes the certificate currently in use. If your domain uses certificates from multiple CAs or you plan to change CAs, adjust the generated records accordingly.

CAA Record Monitoring

Certificate monitoring can alert on missing or misconfigured CAA records. Enable the Alert on missing / misconfigured DNS CAA records option in your monitoring profiles to receive notifications if CAA records are absent or improperly configured.