DNS CAA resource record check

As of September 8, 2017, Certificate Authorities (CAs) are required to check, process, and abide by a domain's DNS Certification Authority Authorization (CAA) resource records (RRs), before a certificate can be issued to the requestor.

Note: A CAA resource record is NOT REQUIRED for DigiCert to issue certificates for your domains. The information provided concerning these records is only important if you already have CAA resource records set up for any of your domains or if you would like to add CAA resource records for your domains.

Prior to issuing a certificate, a CA checks the CAA RRs to establish whether they can issue a certificate for a domain. A CA can issue a certificate for a domain if one of the following conditions is met:

  • There is no record for the domain.
  • There is a record for the domain authorizing the CA to issue that type of certificate for the domain.

If you have or are planning to create DNS CAA RRs for your domain(s), it's important to make sure your records are up-to-date and accurate. At DigiCert, we recommend checking your existing DNS CAA RRs for your domain(s) to verify that you have the necessary records for each CA authorized to issue certificates for each domain.

We also recommend that those creating new DNS CAA RRs understand how the process works, so you don't accidentally prevent a CA from issuing a certificate that's needed immediately.

For more information, please visit DNS CAA Resource Record Check (https://www.digicert.com/dns-caa-rr-check.htm).