The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain.
CAA Resource Records allow a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.
You can check the CAA records of your domain here:
https://www.whatsmydns.net/dns-lookup/caa-records?query=interssl.com&server=google
Example CAA records for SECTIGO PositiveSSL, DigiCert RapidSSL as well as CERTUM:
example.com. 21050 IN CAA 0 issue "sectigo.com"
example.com. 21050 IN CAA 0 issuewild "sectigo.com"
example.com. 21050 IN CAA 0 issue "digicert.com"
example.com. 21050 IN CAA 0 issuewild "digicert.com"
beispieldomain.com. 21050 IN CAA 0 issue "certum.eu"
beispieldomain.com. 21050 IN CAA 0 issuewild "certum.eu"
Please note that for Multi-Domain and Wildcard certificates BOTH records (issue and issuewild) need to be present!
IMPORTANT: The CA does not automatically recheck the CAA records after a "Pre-Sign Failed" error. Please first correct the CAA records and then contact our support so we can request a recheck with the CA.
This document defines the syntax of the CAA record and rules for processing CAA records by certificate issuers.
Show details in RFC 6844:
https://tools.ietf.org/html/rfc6844
