What is a CAA Record?

Question

What is a CAA Record on a domain? How can this be added to a domain hosted on a cPanel server?

Answer

A CAA (Certificate Authority Authorization) DNS record specifies which Certificate Authorities (CAs) are permitted to issue an SSL certificate for a domain. When there are any CAA records present on a domain, then only the authorized Certificate Authorities will be able to issue an SSL for your domain. Conversely, if there are no CAA records defined on a domain, then it is assumed there is no restriction. By default, cPanel does not create a CAA record on a domain.

Note: The AutoSSL feature for cPanel uses the "Let's Encrypt" SSL provider. If a domain has any other CAA record defined, and does not also authorize the "Let's Encrypt" provider, then AutoSSL will be unable to issue an SSL for that domain.

To add a CAA record on a domain, access the DNS Zone Manager in cPanel or WHM. The following provides information on accessing this tool:

How to edit a DNS record in the DNS Zone Manager

In the DNS Zone Manager, use the "Add Record" drop down and select "CAA Record"; this will create a new entry using the CAA record editor.  Enter your domain name, and the value of the CAA record you need. To authorize "Let's Encrypt" for AutoSSL, you should use the value "letsencrypt.org".

Please see the following example screenshot: