Skip to main content
All CollectionsTechnical Tidbits
CAA Records and Cloudflare
CAA Records and Cloudflare

Be careful of the impact of adding CAA records to your DNS zone files!

Alex Lemaire avatar
Written by Alex Lemaire
Updated over 2 years ago

What are CAA records?

The CAA record is a type of DNS record used to provide additional confirmation for the Certification Authority (CA) when validating an SSL certificate. This record allows you to specify which certification authorities are authorized to deliver SSL certificates for your domain. See the RFC here.

Any CAA records added to a parent zone (e.g., financial.com) will be inherited by subdomains (e.g., lemonade.financial.com). Adding a record to the parent, can quickly break things for its children.

What's the Risk of adding CAA records?

Cloudflare uses specific issuers to issue its auto-renewing certificates. If you add CAA records that do not include Cloudflare's issuers, you will prevent Cloudflare from issuing SSL. The result of this, is SSL expiry (downtime) that LemonadeLXP is powerless to resolve.

What CAA records do I need to add, to ensure that Cloudflare can continue issuing SSL certificates for me?

Please see this article (maintained by Cloudflare) for the most recent list of SSL issuers.

Did this answer your question?