Compose DNS Certification Authority Authorization records (RFC 8659) so only the CAs you trust can issue certificates for your domain. Outputs zone file lines, dig and BIND-compatible formats.
CAA records are queried at the exact name; if absent, validators climb the DNS tree until they find one (RFC 8659 §3).
Each row maps to one CAA RR. The flags byte's high bit (128 = critical) tells CAs they MUST refuse if they don't understand the tag.
Paste output from dig +short CAA example.com or BIND zone lines and the rows above will be replaced.
| Tag | Meaning | Example |
|---|---|---|
issue | CA permitted to issue any cert (including wildcards if no issuewild). | 0 issue "letsencrypt.org" |
issuewild | CA permitted to issue wildcard certs only. Overrides issue for wildcards. | 0 issuewild "digicert.com" |
iodef | Where to send violation reports (RFC 6546). Email, URL, or both. | 0 iodef "mailto:sec@example.com" |
contactemail | Domain validation contact (CA/Browser Forum extension). | 0 contactemail "admin@example.com" |
contactphone | Domain validation phone contact (CA/Browser Forum). | 0 contactphone "+1-555-555-0100" |
; (semicolon) | Used as the value to deny all CAs: 0 issue ";" | 0 issue ";" |