What is a DNS CAA record, and do I need one?
What is a CAA Record?
A CAA record, also known as a Certificate Authority Authorization record, is a special type of DNS record used to specify which Certificate Authorities are allowed to issue SSL certificates for a given domain name.
For example, our servers use Amazon Web Services, and we need to create a free and auto-renewable SSL certificate for you. But for that, we need to be authorized to do that by your DNS provider, like GoDaddy, Namecheap, etc.
There are two cases:
- Your DNS provider already allows us by default to issue an SSL certificate for your domain
- Your DNS does not allow us to issue an SSL certificate for you, so you need to authorize us to do that by creating a CAA record
Do I always need a CAA Record?
No! Very often, one is not needed. Most DNS providers allow us to issue certificates for your domain.
So most of the time, a CAA record is not needed. However, we will let you know when you require one, during the custom domain activation process.
When do I need a CAA Record?
If your DNS provider does not allow Amazon Web Services (where we run our servers) to issue a certificate for your domain name, only then will you need to create a CAA record.
Common errors with CAA Record
Most times, you need to check if your domain name has a CAA record before proceeding with activating your custom domain name, to prevent an error in the process. You can follow this link to check if your domain name has a CAA record.
However, if you have started the process of activating your custom domain name with a CAA record already in place, you will get an error when you try to activate the certificate.
If you get this error, you may have to cancel the certificate on the second step of adding your custom domain name, add the CAA record of our SSL service provider to your DNS Manager, and activate it again.
What does a CAA Record look like?
A CAA record follows the format below:
Name: The hostname for the record, without the domain name. This is generally referred to as a “subdomain”. So if you are activating the custom domain courses.yourdomain.com, you should type in here just courses.
TTL: The time-to-live in seconds. This is the amount of time the record is allowed to be cached by a resolver. Set this to the lowest value possible, typically 1 to 5 minutes, in case you need to change this record later.
Tag: An ASCII string that represents the identifier of the property represented by the record.
Value: Type in the following string: 0 issue amazon.com
How do I add a CAA Record for a Domain Name?
Login to your domain's DNS manager >> click DNS >> manage DNS records >> create a new record >> input the data and save the records.
How to check if I have a CAA Record in my domain's DNS Manager:
To confirm if you have a CAA record attached to your domain name, you may use the link below.
It's an online tool that can help you confirm that the CAA record is well-installed:
Conclusion
Once the CAA record is correctly installed, go back to the custom domain activation wizard, and click on Check Certificate again.
If your certificate creation request meanwhile expired, you might need to delete it and configure it again.