DNS Certification Authority Authorization (CAA) Resource Record
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
P. Hallam-Baker, R. Stradling, J. Hoffman-Andrews · 2019-11
Abstract
The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain or wildcard domain. CAA Resource Records allow a public CA to implement additional controls to reduce the risk of unintended certificate mis-issuance.
Why This RFC Matters
RFC 8659 updated the CAA record specification (originally RFC 6844) and made CAA checking a mandatory step in the CA/Browser Forum Baseline Requirements for all publicly trusted CAs — meaning no CA may issue a certificate for a domain if a conflicting CAA record is present. A domain owner publishing `0 issue "letsencrypt.org"` in DNS effectively prevents any other CA from issuing certificates for that domain, providing a significant defense against certificate mis-issuance by rogue or compromised CAs. CAA is now a standard security hygiene measure audited by web security scanners and recommended by every major security framework.