A CAA (Certification Authority Authorization) record is a DNS security feature that allows a domain owner to specify exactly which Certificate Authorities (CAs) are allowed to issue SSL/TLS certificates for their domain.
Is your Let's Encrypt or AutoSSL renewal failing? Check your CAA records.
Before CAA records existed, any public Certificate Authority could theoretically issue an SSL certificate for any domain if someone managed to trick their verification process. By publishing a CAA record, you lock this down. Before a CA issues a certificate, they are mandated by industry rules to check your DNS. If their name isn't listed in your CAA records, they will refuse to issue the certificate, protecting you from unauthorized or fraudulent SSLs.
A typical CAA record contains specific tags that dictate the rules:
issue "letsencrypt.org"*.example.com). If this tag is present, it overrides the 'issue' tag for wildcard requests.iodef "mailto:security@example.com"If a domain has no CAA records at all, the default rule applies: any public Certificate Authority is allowed to issue a certificate for your domain, provided the applicant passes the standard domain validation checks.
Yes. You can publish as many CAA records as you need. For example, you can have one CAA record authorizing digicert.com for your main corporate certificates, and another authorizing letsencrypt.org for your staging environments or subdomains.
No. CAA records are only checked by the Certificate Authority before they issue or renew a certificate. Adding or changing a CAA record will not invalidate an existing, active SSL/TLS certificate installed on your server.