Cloudflare’s support for DNS Certificate Authority Authorization (CAA) records is currently in beta. To participate in the beta, you must follow the instructions below.
Participating in the beta
Step #1 - Request access
To join the beta, you must first open a support ticket. In the support ticket you must specify the zone on which you want records set—the beta is on a per-zone basis—and the precise CAA records you wish to add.
If you do not include CAA records that permit issuance for Cloudflare’s CA partners (or later remove such records), your Universal SSL support will be disabled.
The CAA records that permit Cloudflare to issue Universal and Dedicated SSL can be found below.
Sample ticket #1 - Universal / Dedicated SSL support
Below is a sample support ticket that supports Cloudflare SSL issuance along with Let’s Encrypt, but prohibits other CAs from issuing.
I’d like to join the CAA beta for my domains example1.com and example2.com. Below are the records that I plan to add:
example1.com. IN CAA 0 issue “comodoca.com”
example1.com. IN CAA 0 issue “digicert.com”
example1.com. IN CAA 0 issue “globalsign.com”
example1.com. IN CAA 0 issue “letsencrypt.org”
example2.com. IN CAA 0 issue “comodoca.com”
example2.com. IN CAA 0 issue “digicert.com”
example2.com. IN CAA 0 issue “globalsign.com”
example2.com. IN CAA 0 issue “letsencrypt.org”
Sample ticket #2 - No Universal SSL support (Custom Certificates only)
If you are on a Business or Enterprise plan and wish to upload your own certificate for use with your domain example3.com, the example below can be used.
Note that the presence of an issuewild record will override the issue record. In this example, Let’s Encrypt is allowed to issue certificates without wildcards, and no other CAs can issue certificates with wildcards.
I’d like to join the CAA beta for my domain example3. Below are the records that I plan to add. I understand that Universal SSL will be disabled for my zone because I am not including records that permit issuance. I will take care of uploading and renewing my own custom certificate.
example3.com. IN CAA 0 issue “letsencrypt.org”
example3.com. IN CAA 0 issuewild “;”
Step #2 - Adding CAA records
Once your support ticket is processed—tickets are handled in the order in which they are received, with priority based on plan type—you will receive a message back indicating that CAA access has been enabled for your requested zones.
You are not done at this point and you must log in to the account and add the CAA records.
Step 1 - Log in to the Cloudflare dashboard and click on the DNS tab.
Step 2 - Add CAA records for each CA you wish to allow to issue
Change the new record select box to ‘CAA’, type in your domain in the first box (here: upinatoms.com), and tab to the next box to pop up the modal shown below.
Leave the “Allow wildcards and specific hosts” dropdown selected for tag and enter the desired CA, e.g., “comodoca.com” in the value box then hit Save. After hitting Save you must also click Add Record.
If you wish to continue to use Universal SSL, you must repeat this process for each Universal SSL CA: comodoca.com, digicert.com, and globalsign.com.
Step 3 - Review the added records for accuracy
Here are records that match sample support ticket #1 from above.