What Is a CAA Record
Learn what CAA records are, how they control SSL certificate issuance, issue vs issuewild, and common CAA mistakes.
Introduction
CAA stands for Certificate Authority Authorization. It is a DNS security control that limits which CAs can create certificates for your domain.
CAA is optional but useful when you want to restrict issuance. Outdated CAA records are a common reason Let's Encrypt or CDN SSL renewal fails.
Quick answer
A CAA record specifies which certificate authorities (CAs) may issue SSL/TLS certificates for your domain. If CAA exists and does not authorize your CA, certificate issuance or renewal fails. No CAA record means any trusted public CA may issue.
What it means
CAA records use tags like issue, issuewild and iodef. Before issuing a certificate, public CAs check CAA and deny requests from unauthorized issuers.
- issue — allows standard hostname certificates for a CA
- issuewild — allows wildcard certificates for a CA
- iodef — optional reporting address for unauthorized attempts
- No CAA — any trusted public CA may issue
- CAA can be inherited from parent zones in some cases
Where you see this:
- Restricting SSL issuance to Let's Encrypt, DigiCert, Sectigo or CDN CAs
- Wildcard certificate requests that need issuewild
- Security teams limiting which CAs the organization uses
- Troubleshooting failed certificate renewal
example.com. 3600 IN CAA 0 issue "letsencrypt.org"
example.com. 3600 IN CAA 0 issuewild "letsencrypt.org"
Why this matters
Wrong CAA blocks HTTPS certificate renewal, which can take a live site offline when certificates expire. Missing issuewild blocks wildcard certificates even when issue is present.
How to check it
- Run CAA Record Checker on the domain needing a certificate.
- List all issue and issuewild records returned.
- Compare with the CA your hosting, Certbot or CDN uses.
- Check parent domain CAA if subdomain issuance fails.
- Retry issuance only after TTL propagation.
Check CAA records
Use CAA Record Checker to see which certificate authorities are authorized for your domain.
Common mistakes
CAA blocks current SSL issuer
HighDNS authorizes a different CA than the one you use.
Next step: Add the correct issue record or remove obsolete CAA entries.
Missing issuewild for wildcard cert
HighWildcard request fails although standard issue exists.
Next step: Add issuewild for the same CA.
Old CA remains after switching provider
HighPrevious vendor CAA still restricts issuance.
Next step: Remove outdated issue entries and authorize the new CA.
CAA added at wrong hostname
MediumRecords on www do not affect root domain issuance.
Next step: Publish CAA on the exact hostname the CA validates.
Example
; Allow Let's Encrypt
example.com CAA 0 issue "letsencrypt.org"
; Allow wildcard from Let's Encrypt
example.com CAA 0 issuewild "letsencrypt.org"
Frequently asked questions
Do I need CAA records?
No. They are optional. Without CAA, any publicly trusted CA may issue certificates for your domain.
Can CAA block Let's Encrypt?
Yes, if CAA exists but does not include letsencrypt.org in an issue tag.
What is the difference between issue and issuewild?
issue controls normal certificates. issuewild controls wildcard certificates like *.example.com.
Does CAA encrypt DNS?
No. CAA only restricts certificate issuance. DNSSEC is a separate DNS security feature.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Glossary guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!