What Is a CAA Record and Why Can It Break Certificate Issuance?

A CAA record tells certificate authorities which CAs are allowed to issue certificates for a domain.

That sounds narrow, but it becomes very important the moment certificate issuance fails and nothing else in the DNS zone appears obviously wrong.

The simple definition

CAA stands for Certificate Authority Authorization.

It is a DNS record that lets domain owners restrict certificate issuance to specific certificate authorities.

That is useful because it reduces the chance of unauthorized or unexpected certificate issuance.

Why CAA matters

If a CA is not permitted by the domain’s CAA policy, certificate issuance can fail even when:

• the domain resolves correctly
• the site is online
• the validation token is otherwise correct

That is why CAA is a domain-security control, but also a common certificate-operations footgun.

What a CAA record controls

CAA policies typically describe which CAs may issue standard or wildcard certificates for the domain.

In practice, if a service or platform is trying to provision a certificate and the domain’s CAA policy does not allow the relevant CA, issuance can stop there.

This is one of the reasons certificate problems can look surprising: the failure is not always in the token or validation path. Sometimes the DNS policy itself blocks issuance.

When CAA causes trouble

CAA problems usually appear in scenarios like:

• moving a domain to a different certificate provider
• onboarding a new subdomain setup
• using a platform that relies on partner CAs you did not explicitly allow

Current Cloudflare documentation specifically notes that in subdomain setups where the parent domain is on another DNS provider, the parent domain must either allow the required partner CAs via CAA or have no conflicting CAA records at all.

That is exactly the kind of subtle configuration gap that breaks otherwise normal certificate workflows.

Why this belongs in domain lookup

A domain lookup is often the first place you notice that a domain looks healthy at the DNS and hosting layer but still has certificate friction.

CAA is one of the record types that explains that gap.

It is not the only cause of certificate failures, but it is one of the most overlooked DNS-side causes.

What to check first when issuance fails

1. Check whether the domain publishes CAA at all

If there are no CAA records, then CAA is less likely to be the blocker.

2. Check whether the issuing CA is allowed

If the certificate provider depends on a CA that is not permitted by the domain’s policy, issuance can fail even if everything else looks correct.

3. Check parent-domain policy for delegated or subdomain setups

This is especially important when the hostname you care about sits under a parent domain controlled elsewhere.

Common misunderstandings

"If validation tokens are correct, the certificate must issue"

Not always.

CAA can still block issuance even when the validation method itself is correct.

"CAA is only for large enterprises"

No.

Any domain using certificates can run into CAA effects once issuance policy becomes restrictive.

"CAA is the same as certificate transparency"

No.

CAA limits who may issue; certificate transparency helps you monitor what was actually issued.

FAQ

What does a CAA record do?

It tells certificate authorities which CAs are allowed to issue certificates for the domain.

Why can a certificate fail even when DNS and the site look fine?

Because a restrictive or mismatched CAA policy can block issuance even if the rest of the DNS setup appears healthy.

Does CAA matter for subdomains?

Yes. Parent-domain or delegated-zone CAA policy can matter depending on the setup and the issuing CA path.

Should I check CAA when a platform cannot provision TLS?

Yes. It is one of the highest-value DNS checks when certificate issuance fails unexpectedly.