CAA Management Overview
Certificate Authority Authorization (CAA) Management
Section titled “Certificate Authority Authorization (CAA) Management”Certificate Authority Authorization (CAA) is a DNS record that allows domain owners to specify which Certificate Authorities (CAs) are authorized to issue certificates for their domains.
What is CAA?
Section titled “What is CAA?”CAA records specify which CAs are allowed to issue certificates for a domain. When a CA receives a certificate request, it checks CAA records and only issues the certificate if it is authorized.
CAA Record Format
Section titled “CAA Record Format”domain.com. IN CAA flags tag "value"Common CAA Tags
Section titled “Common CAA Tags”- issue: Specifies which CAs can issue certificates
- issuewild: Specifies which CAs can issue wildcard certificates
- iodef: Specifies where to send violation reports
CAA Management Tool (MVP)
Section titled “CAA Management Tool (MVP)”Use the CAA Management tool to:
- Scan a domain’s current CAA policy (
GET /api/v1/caa/check) - Edit issue, issuewild, and iodef entries using a searchable list of known CA domain identifiers
- Review manual DNS instructions showing records to add and remove compared with the scanned policy
- Deploy via Domain Connect when your DNS provider supports it (automated signing is enabled separately via server configuration)
CA identifier data
Section titled “CA identifier data”Known CA domain identifiers are loaded from the CDN at https://cdn.goodroots.work/ct/caa-ca-domain-identifiers.json through the Worker API endpoint GET /api/v1/caa/ca-identifiers.
Local development
Section titled “Local development”Run npm run dev:wrangler from the repository root so /api/v1/* routes and R2/KV bindings are available. Astro-only dev (npm run dev:site) does not proxy the Worker API.