Why should I support the CAA

Add, change or delete CAA record

As a domain owner, you can use a CAA record to specify which certification authorities (CAs) may issue certificates for your domain or subdomain. The abbreviation CAA stands for Certificate Authority Authorization.

The addition of a CAA record is intended to prevent incorrectly issuing and possibly misusing certificates for a domain or subdomain.

If you create a CAA record for a domain, it will also be inherited by the existing subdomains. Example:

If you configure a CAA entry for the domain example.com, this also applies to the subdomain www.example.com.

If necessary, you can also add several CAA records for each domain or subdomain. This can e.g. This may be necessary, for example, if you want to allow the certification authority to issue specific certificates as well as wildcard certificates.

Before a certificate is issued, these CAA records must be checked by the respective certification authority. This can issue the certificate if one of the following conditions is met:
 

  • The certificate authority cannot find a CAA record for your domain or subdomain.

  • The certificate authority finds a CAA record for your domain or subdomain, which authorizes it to issue a certificate for your domain.

Hints
  • If no CAA record is available, each certification authority may issue a certificate for the domain.

  • If a CAA record is available, only the certification authorities listed in the entries are allowed to issue certificates for the domain.

Structure of the CAA record

Each CAA record has a flag and a property. You can select either 0 (non-critical) or 128 (critical) in the Flag field.

0 (not critical): If you set this flag, the certification authorities will ignore all entries in the CAA record that cannot be evaluated.

128 (critical): If you set this flag, the certification authorities will not issue a certificate if the entries in the CAA record cannot be evaluated.

Type

When creating a CAA record, you can select one of the following 3 properties:

  • Define the issue certification authority (CA): Specifies that the certification authority defined in the Value field is allowed to issue a certificate for the domain or subdomain.

  • Issuewild - certification authority may issue wildcard certificates: Specifies that the certification authority defined in the Value field may issue wildcard certificates for the domain or subdomain. If you select Issuewild as ownership, the certification authority is not allowed to issue a specific certificate for the domain. So that the certification authority can also create specific certificates for the domain, you have to define a separate CAA entry with the property Issue Issue - Certification Authority (CA).

  • Iodef -Zertifierungsstelle (CA) provide an email address to contact: If you select this property, you can specify a contact option for the certification authority. Here you have the option of either entering an email address or a URL. So far, not all certification authorities support this feature.

Examples:

In the following example, the flag 128 (Critical) and the type Issue Certification Authority (CA) were selected for the domain example.com. Digicert.com was specified as the certification authority (CA).

With these entries, the certification authority Digicert is allowed to issue simple certificates.

In this example Digicert is allowed to create wildcard certificates:

With these entries, the certification authority Digicert is allowed to issue wildcard certificates.

To prohibit the issuance of simple certificates and wildcard certificates for the domain example.com, you must create two CAA records that contain a semicolon in the Value field. Example:

In the following example, a contact option was specified for the certification authority:

Your changes take effect immediately at IONOS. However, it can take up to 1 hour for the change to take effect everywhere due to the decentralized structure of the Domain Name System.

Add CAA record

You can add a CAA record in the Control Center.

  • For the domain you want, click underActions on the gear icon and then on DNS.

  • Click on ADD RECORD and select under Type the entry CAA.

  • Enter in the field Hostname the desired host, for example www or @.
    The @Character is used as a placeholder in this case and ensures that the domain starts with www and all Subdomains is called.

  • Enter the appropriate value in the Value field. You can obtain this from the respective certification body. If you have purchased an SSL certificate from IONOS, enter the value digicert.com a.

  • Select the flag you want.

  • Choose the type you want.

  • Optional: Select the one you want TTL (Time-To-Live).
    By default, your settings are active immediately.

  • Click on "Save".

Edit CAA record

Existing CAA records are displayed in the Control Center in the DNS area of ​​the respective domain. You can edit any CAA record in this area at any time.

  • For the domain you want, click under Actions on the GEAR SYMBOL and then on DNS.

  • For the CAA record you want, click on the GEAR SYMBOL under Actions and then on EDIT RECORD.

  • Enter in the field value the appropriate value. You can obtain this from the respective certification body. If you have purchased an SSL certificate from IONOS, enter the value digicert.com a

  • Select the flag you want.

  • Choose the type you want.

  • Optional: Select the one you want TTL (Time-To-Live).
    By default, your settings are active immediately.

  • Click on "Save".

Delete CAA record

You can delete a CAA record at any time in the Control Center.

  • For the domain you want, click under Actions on the GEAR SYMBOL and then on DNS.

  • Click under for the CAA record you want Actions on the GEAR SYMBOL and then on DELETE RECORD.

  • Confirm the deletion by clicking on DELETE.