Skip to main content Skip to search
August 17, 2017

NS1's Managed and Dedicated DNS Supports CAA Records

A CAA record is a special type of DNS record (think TXT or CERT) that allows domain owners to authorize specific third party vendors to issue SSL certificates on behalf of their domains.

CAA records are part of a series of schemes aimed at improving the security of the SSL certificate system. If, for example, NS1 wanted to use to get an SSL certificate for, we could add a CAA record that specifically granted authorization to issue certificates for * Then when we go to purchase the certificate, would know with certainty that they are allowed to issue the cert on our behalf. 

The CAA record prevents any other Certificate Authority from issuing an SSL certificate for our domain. Only the CA(s) we authorized in the CAA record, in this example, can issue an SSL certificate for * The CAA record becomes one more piece that makes up the whole of your online website security measures.

NOTE: This is an optional record type. As a domain owner, there are no requirements for you to have a CAA record.

The following graphic shows an example of how CAA records work in the DNS hierarchy.

From the graphic: a CA must follow the DNS delegation chain upwards until it finds a matching CAA record (stops at top level domain). This allows different CAs for branches in the DNS tree. (Men&Mice)

To add a CAA record to your Managed DNS account with NS1, you first contact your CA provider and request their identification string. You can then create your CAA record in NS1’s portal according to the instructions in our KnowledgeBase article. Add the CA’s identification string into the CAA record parameters in your domain. This limits who can issue your domain certificates.

As of September 2017, CAs are required to check for the presence of a CAA record and, if one is found, verify that they are authorized prior to issuing certificates for this domain. If a CAA record is not present, the CA can issue a certificate for the domain.

For more information on the CAA record type, see RFC 6844.