All Products
Search

This Product

    Alibaba Cloud DNS:Configure CAA records

    Document Center

    Alibaba Cloud DNS:Configure CAA records

    Last Updated:May 27, 2026

    Configure CAA records in Alibaba Cloud DNS to restrict which certificate authorities (CAs) can issue HTTPS certificates for your domain.

    Background

    Hundreds of certificate authorities (CAs) worldwide can issue HTTPS certificates to verify website identity. However, a CA may be blacklisted by browsers for various reasons. When this happens, browsers such as Google Chrome and Firefox display an "HTTPS certificate not trusted" error, show a red strikethrough in the address bar, and block access to the page.

    Certification Authority Authorization (CAA) prevents the mis-issuance of HTTPS certificates. It was standardized by the IETF in January 2013 as RFC 6844. In March 2017, the CA/Browser Forum passed Ballot 187, mandating that all CAs perform CAA checks starting September 8, 2017.

    CAA lets domain owners specify which CAs can issue certificates for their domains, preventing unauthorized issuance. Alibaba Cloud DNS supports CAA records.

    CAA record format

    A CAA record uses the format [flag] [tag] [value]: a flag byte [flag] and a [tag]-[value] pair. You can add multiple CAA records for a domain.

    Field

    Description

    flag

    An unsigned integer from 0 to 255, typically set to 0. When set to 0, a CA that does not recognize the property must ignore the record.

    tag

    The tag can be issue, issuewild, or iodef.

    • issue: Authorizes a specific CA to issue any type of certificate for the domain.

    • issuewild: Authorizes a specific CA to issue wildcard certificates for the domain's hostnames.

    • iodef: Specifies an email address or URL where CAs can report policy violations or invalid certificate requests.

    value

    The domain of the authorized CA, or an email address for reporting violations.

    Add CAA records

    The following example authorizes only symantec.com to issue certificates for midengd.xyz and sends violation reports to admin@midengd.xyz.

    1. Log in to the Alibaba Cloud DNS - Public Zone console. Find your domain and click Settings in the Actions column.

    2. Add the following two CAA records.

      Host record

      Value

      @

      0 issue "symantec.com"

      @

      0 iodef "mailto:admin@midengd.xyz"

    Verify CAA records

    Run the dig domain record_type command to query CAA record resolution. Example:

    sh-3.2# dig midengd.xyz caa

; <<>> DiG 9.10.5rc1 <<>> midengd.xyz caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26714
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;midengd.xyz. IN CAA

;; ANSWER SECTION:
midengd.xyz. 600 IN CAA 0 iodef "mailto:admin@midengd.xyz"
midengd.xyz. 600 IN CAA 0 issue "symantec.com"

;; Query time: 577 msec
;; SERVER: 30.26.X.X#53(30.26.X.X)
;; WHEN: Tue Dec 05 18:55:48 CST 2017
;; MSG SIZE rcvd: 114

    Since April 2017, all CAs must check CAA records before issuing SSL certificates. Major DNS providers such as Amazon Route 53, Dyn, and Cloudflare support CAA records, though adoption in China remains limited.

    As cybersecurity requirements grow, CAA records are becoming a baseline for industries such as financial services, e-government, and public services. More DNS service providers are expected to adopt CAA records, making widespread support inevitable.