CAA Record Generator

Create Certificate Authority Authorization records

Privacy First

This generator runs entirely in your browser. No data is sent to any server.

Configuration

Domain Name

CAA Records

issueCritical

Block all wildcard certificates (adds issuewild ";")

Generated CAA Records

0 issue "letsencrypt.org"

BIND Zone File Format

example.com. IN CAA 0 issue "letsencrypt.org"

Generic DNS Format

example.com	CAA	0 issue "letsencrypt.org"

About CAA Records

Record Types

issue - Authorizes a CA to issue standard certificates
issuewild - Authorizes a CA to issue wildcard certificates
iodef - URL/email for CAs to report policy violations

Critical Flag

When set, CAs must understand and process the record. If they don't recognize the tag, they must refuse to issue. Use sparingly for custom tags.

Best Practices

Add at least one "issue" record to restrict which CAs can issue certificates
Use "issuewild" to separately control wildcard certificate issuance
Configure "iodef" to receive notifications of unauthorized issuance attempts
Test with a single CA first before adding restrictions

If no CAA records exist, any CA can issue certificates for your domain. Adding CAA records is a security best practice.