What is a CAA record?

A Certification Authority Authorisation record is a DNS record that tells certificate authorities which of them are permitted to issue TLS certificates for your domain. A compliant CA must check CAA before issuance and refuse if it is not listed.

What is the difference between issue and issuewild?

The issue tag controls who may issue any certificate, including wildcards by default. The issuewild tag specifically governs wildcard (*.example.com) certificates and, when present, overrides issue for wildcards only.

How do I forbid all certificate issuance?

Use an empty value: a record of 0 issue ";" tells every compliant CA that no authority is permitted to issue certificates for the domain. Combine with issuewild ";" to also block wildcards.

What does the iodef tag do?

The iodef tag provides a contact, usually a mailto: or https: URL, where a CA can report a request that violated your CAA policy. It does not control issuance but gives you visibility into attempted mis-issuance.

Do CAA records replace the need for monitoring?

No. CAA depends on CAs honouring it and does not stop a compromised or non-compliant CA. Pair it with Certificate Transparency log monitoring so you are alerted to any certificate issued for your domain, authorised or not.

CAA DNS Record Builder

A CAA record is a small but high-leverage DNS control: it tells certificate authorities which of them — if any — are allowed to issue TLS certificates for your domain. This builder produces correctly formatted CAA lines from a simple form and explains each part.

How it works

A CAA record has three fields: a flags byte, a tag, and a quoted value.

example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 issuewild ";"
example.com.  IN  CAA  0 iodef "mailto:[email protected]"

flags — almost always 0. A value of 128 sets the “critical” bit, meaning a CA that does not understand the tag must refuse issuance.
tag — issue (who may issue any certificate), issuewild (who may issue wildcard certificates), or iodef (where to report violations).
value — for issue/issuewild, the CA’s domain (for example letsencrypt.org), or ";" to permit no one. For iodef, a mailto: or https: URL.

Before issuing, a compliant CA looks up the CAA record set for the exact name, walking up the domain tree until it finds one. If a record set exists and the CA is not listed, issuance is refused.

Wildcards and the “deny all” pattern

If you publish only issue records, those CAs may also issue wildcard certificates. To allow normal certificates from a CA but block all wildcards, add issuewild ";". To lock the domain down entirely, publish issue ";" (and issuewild ";"), which tells every CA that none is authorised.

Tips and limits

Place CAA at the zone apex to cover the whole domain; a more specific subdomain record overrides it for that branch.
List every CA you actually use, including any backup or ACME provider, or renewals will silently fail.
CAA only works against CAs that honour it. It is not a substitute for monitoring Certificate Transparency logs, which reveal certificates regardless of whether your policy was respected.
This builder runs entirely in your browser; nothing about your domain is transmitted.