With a CAA record, you as the domain holder can determine which certification authorities (CAs) may issue certificates for your domain or subdomain. The abbreviation CAA stands for Certificate Authority Authorization.

The purpose of adding a CAA record is to prevent certificates from being mistakenly issued and misused for a domain or subdomain.

When you create a CAA record for a domain, it is also inherited by the existing subdomains. Example:

When you configure a CAA entry for the domain example.com, it also applies to the subdomain www.example.com.

If required, you can also add multiple CAA records for each domain or subdomain. This may be necessary, for example, if you want to allow the certification authority to issue both specific certificates and wildcard certificates.

Before issuing a certificate, these CAA records must be checked by the respective certification authority. The latter may issue the certificate if one of the following conditions is met:

  • The certificate authority cannot find a CAA record for your domain or subdomain.

  • The Certificate Authority will find a CAA record for your domain or subdomain that authorizes it to issue a certificate for your domain.

  • If no CAA record is available, each certification authority may issue a certificate for the domain.

  • If a CAA record is available, only the certification authorities listed in the entries may issue certificates for the domain.

Structure of a CAA Record

Each CAA record has a flag and a property. In the Flag field, you can select either 0 (not critical) or 128 (critical).

0 (Not critical): If you set this flag, the certification authorities will ignore all entries in the CAA record that cannot be evaluated.

128 (Critical): If you set this flag, the certification authorities will not issue a certificate if the entries in the CAA record cannot be evaluated.

Types:

When creating a CAA record, you can select one of the following 3 properties:

  • Issue - Define Certification Authority (CA): Specifies that the certification authority defined in the Value field may issue a certificate for the domain or subdomain.

  • Issuewild - Certification body may issue wildcard certificates: Specifies that the certification authority defined in the Value field may issue wildcard certificates for the domain or subdomain. If you select the Issuewild property, the certification authority may not issue a specific certificate for the domain. To allow the certification authority to create specific certificates for the domain, you must define a separate CAA entry with the property Issue Issue - Certification Authority (CA).

  • Iodef Certification Authority (CA) to provide an email address to contact: If you select this property, you can specify a contact option for the certification authority. Here you have the option of storing either an email address or a URL. So far not all certification authorities support this feature.

Examples:

In the following example, the flag 128 (Critical) and the type Issue Certification Authority (CA) were selected for the domain example.com. The certification authority (CA) was digicert.com.

These entries allow the Digicert certification authority to issue simple certificates.

 

In this example, Digicert is allowed to create wildcard certificates:

These entries allow the certification authority Digicert to issue wildcard certificates.

 

To prevent the issuing of simple certificates and wildcard certificates for the domain example.com, you must create two CAA records that contain a semicolon (;) in the Value field:

In the following example, a contact option has been specified for the certification authority:

Your changes are effective immediately at IONOS. However, it can take up to 1 hour for the change to take effect due to the decentralized structure of the Domain Name System.

Adding a CAA Record

You can add a CAA record in the Control Panel.

  • Log in to IONOS.
  • Click on the Domains & SSL tile in the My Products section.
  • For the desired domain, click on thegear symbol under Actions and then on DNS.

  • Click ADD RECORD and select CAA on the Add a DNS Record page.

  • In the Host Name field, specify the desired host, such as www or @. The @ character is used as a wildcard in this case and ensures that the domain is called with www and all subdomains.

  • In the Value field, enter the appropriate value. This can be obtained from the respective certification authority. If you purchased an SSL certificate from IONOS, enter the value digicert.com.

  • Select the desired flag.

  • Select the desired type.

  • Optional: Select the desired TTL . By default, your settings are immediately active.

  • Click Save.

Editing CAA Records

Existing CAA records are displayed in the Control Panel in the DNS area of the respective domain. You can edit any CAA record in this area at any time.

  • Click on theGear SYMBOL for the desired domain under Actions and select DNS.

  • For the CAA record that you want to edit, under Actions, click on the Gear SYMBOL and then on EDIT RECORD.

  • In the Value field, enter the appropriate value. This can be obtained from the respective certification authority. If you have purchased an SSL Certificate from IONOS, enter the value digicert.com

  • Select the desired flag.

  • Select the desired type.

  • Optional: Select the desired TTL . By default, your settings are immediately active.

  • Click Save.

Delete CAA Record

You can delete a CAA record at any time in the Control Panel.

  • Click on the Gear SYMBOL for the desired domain under Actions and select DNS.

  • Click on the Gear SYMBOL for the desired CAA record under Actions and select DELETE RECORD .

  • Confirm the deletion process by clicking DELETE.