This article answers several common questions about CAA DNS records.
- What is CAA?
- How does Cloudflare evaluate CAA records?
- Why must I disable Universal SSL if my CAA records exclude Universal SSL issuance?
- What records are added to keep Universal SSL enabled?
- What happens when Universal SSL is disabled?
- How do I re-enable Universal SSL?
- What are the dangers of setting CAA records?
What is CAA?
A Certificate Authority Authorization (CAA) record allows domain owners to restrict issuance to specified Certificate Authorities (CAs). CAA records prevent CAs from issuing certificates under certain circumstances. Refer to RFC 6844 for further details.
How does Cloudflare evaluate CAA records?
CAA records are evaluated by a CA, not by Cloudflare.
Why must I disable Universal SSL if my CAA records exclude Universal SSL issuance?
Since Universal SSL certificates are shared between customers, your CAA records may prevent issuance of another customer’s Universal SSL. Therefore, Cloudflare must disable Universal SSL for your domain to ensure your CAA records do not affect another customer.
If you do not require Universal SSL from Cloudflare, Disable Universal SSL in the Edge Certificates tab of the Cloudflare SSL/TLS app.
What records are added to keep Universal SSL enabled?
The following DNS records are automatically set if you continue to use Cloudflare’s free Universal SSL certificates:
example.com. IN CAA 0 issue "comodoca.com" example.com. IN CAA 0 issue "digicert.com" example.com. IN CAA 0 issue "letsencrypt.org" example.com. IN CAA 0 issuewild "comodoca.com" example.com. IN CAA 0 issuewild "digicert.com" example.com. IN CAA 0 issuewild "letsencrypt.org"
Used alone, issuewild only permits wildcard issuance. Therefore, Cloudflare cannot add your root domain to the certificate unless you specify the Allow wildcards and specific hostnames option in the Tag dropdown:
What happens when Universal SSL is disabled?
Your domain name is immediately removed from the Universal SSL certificate and your users will observe SSL errors unless you upload a custom SSL certificate (requires Business or Enterprise plan).
How do I re-enable Universal SSL?
To re-enable Universal SSL:
- Log in to the Cloudflare dashboard.
- Click the appropriate Cloudflare account for the domain where you want to disable Universal SSL.
- Ensure the proper domain is selected.
- Click the SSL/TLS app.
- Scroll to the Disable Universal SSL section.
- Click Enable Universal SSL.
What are the dangers of setting CAA records?
If you are part of a large organization or one where multiple parties are tasked with obtaining SSL certificates, include CAA records that allow issuance for all CAs applicable for your organization. Failure to do so can inadvertently block SSL issuance for other parts of your organization.