Defaults.Exposed › Setup › CAA

How to set up a CAA record on AWS Route 53

Add a CAA record in AWS Route 53 to control which certificate authorities are allowed to issue SSL certificates for your domain.

Why this matters to your business

A CAA record names which certificate authorities (the companies that issue the SSL/TLS certificates behind the padlock in a browser) are allowed to issue a certificate for your domain. Any authority that follows the rules must check this record first and refuse the request if it isn’t on the list.

In plain terms: without a CAA record, any of hundreds of certificate authorities worldwide could be tricked or make a mistake and hand someone a valid certificate for your domain — which an attacker could use to impersonate your website convincingly. A CAA record shuts that door by saying only these authorities, nobody else. It’s free and takes a few minutes.

Confirm Route 53 runs your DNS

This only works if Route 53 is answering DNS for your domain. In Route 53 your records live inside a hosted zone for the domain, and that zone is only live when your domain’s nameservers point at the four Route 53 nameservers listed in the zone. Open the hosted zone, check its NS record, and confirm those nameservers are set at your registrar. If your nameservers point elsewhere, add the CAA record at whichever provider runs your DNS instead.

Know your certificate authority first

Before you add anything, find out which authority issues your certificate, or you risk locking out your own provider. Common values:

• amazon.com — Amazon (AWS Certificate Manager, ACM)
• letsencrypt.org — Let’s Encrypt (used by most free and automated certificates)
• digicert.com — DigiCert
• sectigo.com — Sectigo
• globalsign.com — GlobalSign
• pki.goog — Google Trust Services

If you use AWS Certificate Manager to provision certificates, you must allow amazon.com or ACM will not be able to issue. If you’re unsure, ask whoever set up your hosting, or check the certificate in your browser (click the padlock, then view the certificate’s issuer).

Step-by-step on Route 53

1. Sign in to the AWS Management Console and open Route 53.
2. In the left menu, choose Hosted zones, then select your domain.
3. Click Create record.
4. Leave the Record name field empty to apply the record to the root of your domain (the apex). Do not type your domain name in here.
5. Set Record type to CAA.
6. In the Value box, enter the record in Route 53’s three-part format on one line: 0 issue "letsencrypt.org" That is the flags (0), then the tag (issue), then the certificate authority in double quotes.
7. Leave TTL at the default (300 seconds is fine).
8. Choose Simple routing if asked, then click Create records.

Allowing more than one certificate authority

Most domains use more than one authority over time — for example, AWS Certificate Manager for one service and Let’s Encrypt for another. In Route 53 you add the extra authorities as additional lines in the same CAA record’s Value box, one per line:

0 issue "amazon.com"
0 issue "letsencrypt.org"

Together those say both of these authorities are allowed, no others. Each line is a separate issue entry; you do not put two authorities on one line.

Route 53 quirks people get wrong

• The biggest mistake is locking out your own authority. If you add a CAA record listing only digicert.com but your certificate actually renews through Let’s Encrypt or ACM, the next renewal will silently fail and your padlock can break weeks later. Always include every authority you genuinely use before you save.
• Allow amazon.com for ACM. If your certificates come from AWS Certificate Manager and your CAA record does not include amazon.com, ACM validation and renewal will fail. This is the most common Route 53-specific trip-up.
• The quotes around the CA are required. Route 53 expects 0 issue "letsencrypt.org" with the authority in double quotes. Leaving them off makes the record invalid.
• Leave the record name blank for the root. An empty name applies the record at the apex; typing the domain name there creates it in the wrong place.
• Flags is 0 for a normal record. The other value, 128, is a strict mode — only use it deliberately.
• Use the bare domain, not a URL. The value is letsencrypt.org, never https://letsencrypt.org and never www..
• Give it time. DNS changes can take a few minutes up to a couple of hours to take effect. Existing certificates keep working; CAA is only checked when a new one is issued or renewed.

Verify it worked

Once saved and propagated, run the free check on this site. It will tell you in plain language whether your CAA record is in place and which authorities you’ve allowed.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.