Documentation DNS CAA Record

CAA Record


This document describes how to a CAA record. If you want to authorize a designated CA to issue an SSL certificate for your domain name so as to prevent mistaken SSL certificate issuance, you need to add a CAA record.


  1. Log in to the DNSPod Console.
  2. In "My Domains", click the domain for which to add a CAA record to enter its "Record Management" page as shown below:

  1. Click Add Records and enter the following record information as shown below:

Host: enter a subdomain. For example, when adding a record for www.dnspod.com, you can simply enter "www" in the "Host" field. If you only want to add a record for dnspod.com, select "@" in the "Host" field.
Type: select "CAA".

  • Split Zone: select "Default"; otherwise, certain CAs may not be able to conduct verification.
    The format of a CAA record is [flag] [tag] [value], which consists of a flag byte [flag] and a [tag] -[value] (tag-value) pair called an attribute. You can add multiple CAA fields to the DNS record of the domain.
Field Description
flag An unsigned integer between 0 and 255, which is used to identify the CA. It is 0 by default, indicating that if the CA issuing the certificate cannot recognize this information, it will be ignored.
tag Valid values: issue, issuewild, iodef.
value CA's domain or email address used for notification of violations.

tag field description:

  • issue: authorizes a single CA to issue certificates of any type for the host name.
  • issuewild: authorizes a single CA to issue wildcard certificates for the host name.
  • iodef: the CA can send the URLs of issuance records in violation to a certain email address.

Weight: leave it empty.
MX: leave it empty.
TTL: it is the cache time and 600s by default. The smaller the value, the faster the change to the record will take effect in various regions.

  1. Click Confirm.
Last updated on 2022-04-21 02:45

DNS health check tool powered by DNSPod


Official WeChat group

Join WeChat group to chat and feedback

Scan using WeChat