What is CAA?

CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names. It was standardized in 2013 by RFC 6844 to allow a CA “reduce the risk of unintended certificate mis-issue.” By default, every public CA is allowed to issue certificates for any domain name in the public DNS, provided they validate control of that domain name. That means that if there’s a bug in any one of the many public CAs’ validation processes, every domain name is potentially affected. CAA provides a way for domain holders to reduce that risk.

---- Certificate Authority Authorization (CAA)


Confirm CAA is enabled on your domain name

1. Ask your certificate provider, access the Control Panel, or run a DIG command to check that your domain name has a CAA record.

A. Use DIG command

Use the DIG command to check that the CAA record is enabled


B. Use Google Admin Toolbox


If CAA is enabled, some records will be returned.
Go to "2. Add CAA records to DNS provider"

dig example.com CAA +short

0 issue "letsencrypt.org"
0 issuewild "comodoca.com"
0 issuewild "digicert.com"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issuewild "letsencrypt.org"
0 issue "comodoca.com"
0 issue "digicert.com"
0 issue "digicert.com; cansignhttpexchanges=yes"

If CAA is disabled, no records will be return.

dig example.com CAA +short

No CAA records, go back to Custom Domains on Shifter to complete.

2. Add CAA records to DNS provider

Add one of the following DNS record to your domain name:


Here are some samples for setting up CAA records DNS providers:

Add amazon.com for example.com

Add amazon.com for www.example.com


Add amazontrust.com for example.com

Add amazontrust.com for www.example.com

Route 53
Add amazonaws.com for example.com

Add amazonaws.com for www.example.com

3. Go to Custom Domains on Shifter to complete setup.

Did this answer your question?