CAA records

I’d like to add CAA records to my domain. I’ve read the support article on the topic, and various other posts on the topic, some of which reference iodef, but frankly I’m no closer to understanding it!

I’m using Universal SSL, so by my reading of the support doc (although it took several readings to understand this point) I need to add a CAA record, rather than it just being done automatically - but once I add a record it is done automatically. Bit confused here, but okay.

So try to add a record:

  • Type CAA
  • Name: @
  • Tag: Send violation reports to URL. No idea where to input the value for this.
  • CA domain name: ? My domain name? But CF know this. Is it where the violation reports URL should go? If so the text at the top makes no sense.

Thanks for any help that can be offered!

I use a single CAA Record. “Name” should just be @ (shorthand for your domain). I use mailto: and have it send to a reporting mailbox I check. It’s a public record, so I don’t use a personal mailbox.

1 Like

Many thanks! That is so not an obvious interface. This is what the text above the new record shows:

mailto:[email protected]{domain} can issue certificates for {domain} and sends violation reports to URL (http:, https:, or mailto:).

If I use a wildcard, do I need another entry for that?

No, but it looks like you didn’t select the proper dropdown for the Tag field.

Thanks for that clarification. I think I did - it looks like the Javascript handling that message just doesn’t switch the sentence around to make sense when that option is selected:

Just be aware that you probably will not get any notifications by using iodef. I have yet to come across a CA that actually sends reports. I would still create an iodef record, as hopefully with big enough deployment the CAs might actually implement it!

1 Like

I do it just because without my own CAA record (of any type), Cloudflare won’t automatically publish the others. Or at least didn’t in the past.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.