github.com/StackExchange/dnscontrol/v4@v4.11.0/documentation/language-reference/domain-modifiers/CAA.md (about) 1 --- 2 name: CAA 3 parameters: 4 - name 5 - tag 6 - value 7 - modifiers... 8 parameter_types: 9 name: string 10 tag: '"issue" | "issuewild" | "iodef"' 11 value: string 12 "modifiers...": RecordModifier[] 13 --- 14 15 `CAA()` adds a CAA record to a domain. The name should be the relative label for the record. Use `@` for the domain apex. 16 17 Tag can be one of 18 1. `"issue"` 19 2. `"issuewild"` 20 3. `"iodef"` 21 22 Value is a string. The format of the contents is different depending on the tag. DNSControl will handle any escaping or quoting required, similar to TXT records. For example use `CAA("@", "issue", "letsencrypt.org")` rather than `CAA("@", "issue", "\"letsencrypt.org\"")`. 23 24 Flags are controlled by modifier: 25 - `CAA_CRITICAL`: Issuer critical flag. CA that does not understand this tag will refuse to issue certificate for this domain. 26 27 {% code title="dnsconfig.js" %} 28 ```javascript 29 D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER), 30 // Allow letsencrypt to issue certificate for this domain 31 CAA("@", "issue", "letsencrypt.org"), 32 // Allow no CA to issue wildcard certificate for this domain 33 CAA("@", "issuewild", ";"), 34 // Report all violation to test@example.com. If CA does not support 35 // this record then refuse to issue any certificate 36 CAA("@", "iodef", "mailto:test@example.com", CAA_CRITICAL), 37 END); 38 ``` 39 {% endcode %} 40 41 DNSControl contains a [`CAA_BUILDER`](CAA_BUILDER.md) which can be used to simply create `CAA()` records for your domains. Instead of creating each CAA record individually, you can simply configure your report mail address, the authorized certificate authorities and the builder cares about the rest.