Home / Tools / Add a CAA DNS record to restrict who can issue SSL certs for your domain
Domain & DNS Health · Scan Check Guide

Add a CAA DNS record to restrict who can issue SSL certs for your domain

15 min Impact: medium Effort: low ✓ Scan-verified — no manual checkbox

A CAA record specifies exactly which Certificate Authorities are allowed to issue an SSL certificate for your domain — without one, any trusted CA can issue a certificate for your domain, which becomes a real risk if any single CA in the entire ecosystem is ever compromised.

CAA records restrict which Certificate Authorities can issue SSL certificates for your domain. Without one, any CA can issue a certificate for your domain — a significant security risk.

How to fix it

  1. 1
    Identify your actual certificate provider
    Check who issued your current SSL certificate (Let's Encrypt, Cloudflare, DigiCert, etc.).
  2. 2
    Add a CAA record restricting to that provider
    A TXT-style DNS record like 0 issue "letsencrypt.org" explicitly allows only that CA to issue certificates for your domain.
  3. 3
    Include any CAs you might legitimately switch to
    If you might change providers later, list multiple authorized CAs, or update this record when you do switch.

Common mistakes

How you'll know it's done

A CAA record exists, restricting certificate issuance to your actual certificate provider(s).

Tools that help

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →