CAA record is used to explicitly specify which Certification Authorities can issue certificates for a domain. This acts as a kind of additional verification of the certificate itself.
To add this type of record, you need to go to the "Name Servers (NS)" page and click on the gear icon next to the name servers for your domain. On the new page there will be a table with DNS records, click "Change". Now at the very bottom will be the "Add record" button:
What data should be entered in the new record:
- Name: If it is a apex domain, enter the name "@". If it is a subdomain, enter its name. For example, for "blog.domain.com" it will be enough to enter the name "blog";
- TTL: record lifetime. The minimum parameter is 3600 seconds, the standard is 14400 seconds. In most cases you do not need to change it;
- Type: here you select type CAA;
- Flag: at the moment, values 0 and 1 are available. The first value is standard and allows you to effectively ignore a record; the second requires explicit record checking;
- Tag: can have values "issue", "issuewild", "iodef" — depending on the type of certificate;
- Value: Certification Authority domain name, for example "sectigo.com".
Once you have entered the necessary data, be sure to click "Save".
⚠️ Please note: changes of NS servers and records on them may take 4 to 24 hours to take effect. This is due to the caching of records by Internet service providers — they save all user requests and keep them for a certain period of time.