Certification Authority Authorization (CAA) allows a domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain.
CAA is an optional DNS record but if present, CAs must check if their domain name is in the
issuewild (for wildcard certificates) properties.
CAA 0 issue "letsencrypt.org"
CAA 0 issue "example.com"
CAA 0 iodef "mailto:firstname.lastname@example.org"
0: "Critical Flag" intended to introduce new properties in the future, at the moment only
issue: which CAs (Let's Encrypt in this case and a hypothetical Example CA) can issue both regular and wildcard certificates for this domain – add
issuewildif you want some other CA to issue wilcard certificates, in that case any existing
issues are ignored by the CA when processing a request for a wildcard certificate
iodef: URL (
https:) where reports of invalid certificate requests may be sent to, in Incident Object Description Exchange Format
The canhas.report domain has a similar DNS CAA record.
I'm currently not aware of any certification authority sending CAA reports and the Incident Object Description Exchange Format is quite extensive to come up with an artificial example report. Let me know if you are a CA sending CAA reports or if you know about one.