CAA policy

CAA lets you restrict which certificate authorities may issue certificates for your domain. If the policy is missing, you lose that control. If the policy is wrong, renewals can fail even though the live certificate still works today.

What this usually means

• No CAA record publishedNo hostname or parent-zone CAA record was found, so issuance is not explicitly restricted.
• Wrong CA allowedThe published `issue` or `issuewild` values do not appear to authorize the CA that issued the current certificate.
• Renewal riskEven if the current certificate is still valid, the next renewal can fail if DNS CAA policy blocks the chosen CA.

Fix path

• Identify the CA you actually useCheck the current issuing CA from the live chain, or confirm which CA your automation, CDN, or certificate platform expects to use.
• Publish the right `issue` valuesAdd a DNS CAA record for the hostname or parent zone that authorizes the CA you want. Example format: `CAA 0 issue "letsencrypt.org"`.
• Handle wildcard issuance separatelyIf you use wildcard certificates, add `issuewild` where required by your CA policy design.
• Add reporting if usefulYou can add `iodef` so some CAs can report issuance policy problems or unexpected requests.

Verify after change

• Re-run TLS AdvisorThe CAA section should show the record, the lookup location, and no authorization conflict with the current CA.
• Test renewal before expiry pressureDo not wait until the certificate is close to expiry before confirming that your CA can still issue under the updated CAA policy.