This article answers several common questions about CAA DNS records.
- What is CAA and how can I create one?
- How does Cloudflare evaluate CAA records?
- Why must I disable Universal SSL if my CAA records exclude Universal SSL issuance?
- What records are added to keep Universal SSL enabled?
- What happens when Universal SSL is disabled?
- How do I re-enable Universal SSL?
- What are the dangers of setting CAA records?
What is CAA and how can I create one?
A Certificate Authority Authorization (CAA) record allows domain owners to restrict issuance to specified Certificate Authorities (CAs).
For more details and instructions on how to create these records, refer to our developer documentation.
How does Cloudflare evaluate CAA records?
CAA records are evaluated by a CA, not by Cloudflare.
Why must I disable Universal SSL if my CAA records exclude Universal SSL issuance?
Since Universal SSL certificates are shared between customers, your CAA records may prevent issuance of another customer’s Universal SSL. Therefore, Cloudflare must disable Universal SSL for your domain to ensure your CAA records do not affect another customer.
If you do not require Universal SSL from Cloudflare, you can disable Universal SSL.
What records are added to keep Universal SSL enabled?
If you use Cloudflare’s free Universal SSL certificates, you will see several CAA records added by Cloudflare.
Used alone, issuewild only permits wildcard issuance. Therefore, Cloudflare cannot add your root domain to the certificate unless you specify the Allow wildcards and specific hostnames option in the Tag dropdown:
What happens when Universal SSL is disabled?
Your domain name is immediately removed from the Universal SSL certificate and your users will observe SSL errors unless you upload a custom SSL certificate (requires Business or Enterprise plan).
How do I re-enable Universal SSL?
To re-enable Universal SSL:
- Log in to the Cloudflare dashboard.
- Click the appropriate Cloudflare account for the domain where you want to disable Universal SSL.
- Ensure the proper domain is selected.
- Click the SSL/TLS app.
- Scroll to the Disable Universal SSL section.
- Click Enable Universal SSL.
What are the dangers of setting CAA records?
If you are part of a large organization or one where multiple parties are tasked with obtaining SSL certificates, include CAA records that allow issuance for all CAs applicable for your organization. Failure to do so can inadvertently block SSL issuance for other parts of your organization.