CAA is an IETF standard that controls which certificate authorities (CAs) can issue certificates for your domain.
Certificate authorities (CAs) will check first the CAA record for the domain. If the record does not matches the specific values for that authority, it will refuse to issue the certificate.
The CAA record was introduced to prevent vulnerabilities in the certificate authority validation systems.
The Certification Authority Authorization (CAA) DNS Resource Record
RFC 6844
allows a DNS domain name holder to specify the Certification
Authorities (CAs) authorized to issue certificates for that domain.
Publication of CAA Resource Records allows a public Certification
Authority to implement additional controls to reduce the risk of
unintended certificate mis-issue.
A CAA DNS record will look like:
plothost.com. IN CAA 0 issue sectigo.comCheck with your CA, what values you should use for the CAA record. We put some links to a few of CA in the Resources section of this article.
A simple tool for generating CAA records according to your certificate authority is here https://sslmate.com/caa/
