wiredepth
Run a check

Free tool · Cert governance

CAA record generator

Pick the certificate authorities you actually use from a preset list. We emit publish-ready CAA records (BIND zone format) you paste into your DNS provider. Restricts who can issue TLS certs in your name. No signup.

CAs allowed for ordinary certs (issue)

Tick every CA you actually use. Missing one will silently kill your next renewal.

Records to publish

Fill in a domain + tick at least one CA to see the records.

What this tool checks

CAA records narrow your cert-issuance surface from ~80 globally-trusted CAs down to the specific ones you use. Without CAA, a compromised registrar, social-engineered domain-validation challenge, or CA misissuance bug anywhere produces a working TLS cert for an attacker.

This generator only emits the records - you publish them in your DNS provider. After publishing, run the CAA checker to confirm they resolve correctly.

How to read the results

Before publishing: make sure every CA you actually use today is on your list - missing one silently kills the next renewal. Common pitfalls:

  • You use AWS Certificate Manager for one service and Let's Encrypt for another - both need to be on the list.
  • Your DR / failover site uses a different CA - include it.
  • Wildcards have separate rules under issuewild- if you don't set issuewild it falls back to issue rules.

Frequently asked questions

Will publishing these records break my certs?

Existing certs aren't affected (CAA checks happen at issuance, not validation). But your NEXT renewal will fail if the renewing CA isn't on your list. List every CA you use today before publishing.

How do I publish these records?

Drop them in your DNS provider. The exact UI varies: Cloudflare has a CAA record type in the DNS editor; Route 53 lists CAA in the record-type dropdown; some older providers want raw zone-file syntax (the format we emit). After publishing, wait 5-10 minutes for propagation, then verify with our CAA checker.

Should I check the "critical" flag?

The critical flag (value 128) tells CAs they MUST honor the tag - even if it's a new tag type they don't understand, they fail-closed and refuse issuance. Without critical (value 0), a CA may continue if it doesn't understand the tag. For standard issue / issuewild / iodef tags it doesn't matter much (everyone implements those). Critical=128 only matters for future CAA extensions. Default 0 is fine.

What format are the records I should paste?

BIND zone file format, one CAA record per line. Most DNS providers parse this directly. If yours wants the parts split (flag, tag, value) you can read them from the format: "<host>. CAA <flag> <tag> \"<value>\"".

Related free tools

CAA record checker

Verify your published CAA records are resolving correctly.

TLS / SSL check

Cert chain, expiry, protocols.

DNS health

Full DNS posture: SOA, NS, MX, registrar expiry.