Help Center> Domain Name Service> User Guide> Record Sets> Adding Record Sets> Adding a CAA Record Set
Updated on 2023-03-16 GMT+08:00
View PDF

Adding a CAA Record Set

Scenarios

If you want to specify CAs authorized to issue HTTPS certificates for your domain name, add CAA record sets for the domain name.

CAA record sets are used to prevent HTTPS certificates from being incorrectly issued.

For details about other record set types, see Record Set Types and Configuration Rules.

Constraints

CAA record sets can be added only to public zones.

Procedure

  1. Log in to the management console.
  2. Hover the cursor over in the upper left corner. In the service list, choose Networking > Domain Name Service.

    The DNS console is displayed.

  3. In the navigation pane on the left, choose Public Zones.

    The Public Zones page is displayed.

  4. Click the domain name.
  5. Click Add Record Set.

    The Add Record Set dialog box is displayed.

  1. Configure the parameters based on Table 1.
    Table 1 Parameters for adding a CAA record set

    Parameter

    Description

    Example Value

    Name

    Prefix of the domain name to be resolved.

    For example, if the domain name is example.com, the prefix can be as follows:

    • www: The domain name is www.example.com, which is usually used for a website.
    • Left blank: The domain name is example.com.

      In some cases, you may need to set the record set name to the at sign (@). However, the at sign is not supported. Leave the Name blank.

    • abc: The domain name is abc.example.com, a subdomain of example.com.
    • mail: The domain name is mail.example.com, which is typically used for an email server.
    • *: The domain name is *.example.com, which is a wildcard domain name, indicating all subdomains of example.com.

    Left blank

    Type

    Type of the record set

    If a message is displayed indicating that the record set you are trying to create exists, the record set conflicts with an existing record set.

    For details, see Why Is a Message Indicating Conflict with an Existing Record Set Displayed When I Add a Record Set?

    CAA – Grant certificate issuing permissions to CAs

    Line

    Resolution line.

    The DNS server will return the IP address of the specified line, depending on where the visitors come from.

    This parameter is supported only for public domain names.

    • Default: returns the default resolution result irrespective of where the visitors come from.
    • ISP: returns the resolution result based on visitors' carrier networks. For details, see Configuring ISP Lines.
    • Region: returns the resolution result based on visitors' geographical locations. For details, see Configuring Region Lines.

    Default

    TTL (s)

    Cache duration of the record set on a local DNS server, in seconds.

    The value ranges from 300 to 2147483647, and the default is 300.

    If your service address changes frequently, set TTL to a smaller value.

    Learn more about TTL.

    The default value is 300s, which is, 5 minutes.

    Value

    CA to be authorized to issue certificates for a domain name or its subdomains

    You can enter a maximum of 50 record values, each on a separate line.

    The format is [flag] [tag] [value].

    Configuration rules:

    • flag: certificate authority (CA) identifier, which is an unsigned character ranging from 0 to 255. Usually, the value is set to 0.
    • tag: You can enter 1 to 15 characters, including only letters and digits. The tag can be one of the following:
      • issue: authorizes CAs to issue all types of certificates.
      • issuewild: authorizes CAs to issue wildcard certificates.
      • iodef: requests notifications once CAs receive invalid certificate requests.
    • value: authorized CA or email address/URL required for notification once the CA receives invalid certificate requests, depending on the value of tag. The value must be enclosed in quotation marks ("") and can contain a maximum of 255 characters, including letters, digits, spaces, and special characters -#*?&_~=:;.@+^/!%

    0 issue "ca.abc.com"

    0 issuewild "ca.def.com"

    0 iodef "mailto:admin@domain.com"

    0 iodef "http:// domain.com/log/"

    Weight

    (Optional) Weight of a record set. The value ranges from 0 to 1000, and the default value is 1.

    This parameter is supported only for public domain names.

    If a resolution line in a zone contains multiple record sets of the same type, you can set different weights to each record set. For details, see Configuring Weighted Routing.

    1

    Tag

    (Optional) Identifier of the record set. This parameter is displayed when you expand More Settings.

    Each tag contains a key and a value. You can add a maximum of 10 tags to a record set.

    For details about tag key and value requirements, see Table 2.

    example_key1

    example_value1

    Description

    (Optional) Supplementary information about the record set.

    You can enter a maximum of 255 characters.

    -
    Table 2 Tag key and value requirements

    Parameter

    Requirements

    Example Value

    Key
    • Cannot be left blank.
    • Must be unique for each resource.
    • Can contain a maximum of 36 characters.
    • Cannot start or end with a space or contain special characters =*<>\,|/

    example_key1

    Value
    • Cannot be left blank.
    • Can contain a maximum of 43 characters.
    • Cannot start or end with a space or contain special characters =*<>\,|/

    example_value1
  2. Switch back to the Record Sets page.

    View the added record set in the record set list of the zone and ensure that its status is Normal.

Related Operations

For more information about CAA record sets, see Setting CAA Records to Prevent Unauthorized HTTPS Certificate Issuing.

Parent topic: Adding Record Sets