Add DNS CAA Record to a DNS Zone File

Dec 11, 2025

Add DNS CAA Record to a DNS Zone File

OVERVIEW: This page walks you through the process of adding a Certification Authority Authorization (CAA) record to your DNS zone file. For more Domain Verification Method guides, please refer to this page.

Prerequisites

First, you must know which syntax type to use when configuring your DNS zone file depending on your DNS product type. Please refer to the table below:

Syntax Type	DNS Product	Example
Standard BIND (RFC 6844)	BIND (version 9.9.6 and higher) Knot DNS (version 2.2.0 and higher) NSD (version 4.0.1 and higher) PowerDNS (version 4.0.0 and higher)	example.com. CAA 0 issue "globalsign.com"
Legacy BIND (RFC 3597)	BIND (any version prior to BIND 9.9.6) NSD (any version prior to NSD 4.0.1)	example.com. IN TYPE257 \#21 00056973737565676C6F62616C7369676E2E636F6D
Generic	Google Cloud DNS DNSimple	0 issue "globalsign.com"

Guidelines

Open your domain's DNS zone file in a notepad. Note: You can find your DNS records on the machine where your domain is registered.
Configure the file to include your desired CA(s) in your DNS CAA record. You can check the table above for your reference. Note: You can add more than one CA in a DNS CAA record, as adding only one CA will limit issuance of SSL/TLS certificates on that domain to just that CA.
Save your zone file and close the notepad.

IMPORTANT: If you have any issues or questions whether CAA is supported with your setup, contact your DNS manager for further details.

GlobalSign System Alerts

View recent system alerts.

View Alerts

Atlas Discovery

Scan your endpoints to locate all of your Certificates.

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.

Contact Support

If you are an Atlas portal user, please submit request to support-atlas@globalsign.com.

GlobalSign Support

Add DNS CAA Record to a DNS Zone File