CAA Record Helper

CAA records of domains



Who Supports CAA?

If you want to publish a CAA record, your domain’s DNS software (or provider) needs to support CAA. This page tells you which DNS software and providers support CAA.

If you don’t want to publish a CAA record, it shouldn’t matter whether or not your domain’s DNS software supports CAA, since the DNS protocol provides a way to add new record types in a backwards compatible way. Unfortunately, some DNS software is broken and mishandles unsupported record types such as CAA. If your domain uses such DNS software, you may have trouble getting certificates for your domain.

Please open an issue if you have an addition to this page.


Software/Provider Support Comments
BIND Yes Prior to version 9.9.6 use RFC 3597 syntax
Knot DNS ≥2.2.0
ldns ≥1.6.17
NSD Yes Prior to version 4.0.1 use RFC 3597 syntax
OpenDNSSEC Yes With ldns ≥1.6.17
PowerDNS ≥4.0.0 Versions 4.0.3 and below are buggy when DNSSEC is enabled.
Simple DNS Plus ≥6.0
tinydns Yes Use generic record syntax
Windows Server 2016 Yes Use RFC 3597 syntax

Common Record Types

A or AAAA Record – Usually a 1 hour TTL is a good compromise between enabling fast changes while taking advantage of DNS caching while someone is visiting your site. If changes to this record are often or need to happen quickly in an emergency, you can usually set it as low as 30 seconds. For DynECT Managed DNS features such as Active Failover, Load Balancing and GSLB, you can set the TTLs between 30 seconds and 5 minutes. For non-critical records that rarely – if ever – will need to change, you may be able to get away with having a TTL in the 12 hours to 1 day range.

CNAME record – In many cases, a CNAME record will never be modified (ex. pointing www.example.com to example.com’s A record). In those scenarios, a 12 hour to 1 day TTL is a good compromise as the benefits of caching outweigh need for a faster propagation time. If your CNAME record could potentially change (such as if you are using a CDN), you will want to a have a lower TTL.

MX Record – MX records rarely, if ever, change, especially if you are using an email provider with a good track record or you have lots of redundancy when self hosting. You can usually set this to a 12 hour or 1 day TTL. If you want to ensure faster propagation times in the event of an emergency, a 1 to 4 hour TTL is a good compromise.

TXT Records – Most commonly used for SPF or DKIM records. Usually safe to set in the 1 hour to 12 hour range since they rarely change.

In the end, keep in mind that what you set the TTL to is what you are most comfortable with. It is all about striking a reasonable balance between a fast propagation time and taking advantage of DNS caching.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.