Home

issuewild

Issuewild is a tag used in DNS Certification Authority Authorization (CAA) resource records. It specifies which certificate authorities are permitted to issue wildcard certificates for a domain, helping domain owners restrict wildcard certificate issuance.

CAA records enable domain owners to authorize certificate issuance by specifying allowed issuing authorities. The issuewild

Syntax and examples: Each CAA record has a flag, a tag name, and a value. Example: example.com.

Adoption and limitations: The CAA framework is widely supported by major certificate authorities and DNS providers,

See also: CAA records, wildcard certificates, certificate authorities.

tag
is
designed
specifically
for
wildcard
certificates
(for
example,
those
covering
*.example.com).
A
compliant
certificate
authority
must
check
the
domain’s
CAA
records
when
processing
a
wildcard
certificate
request
and
may
issue
only
if
its
name
appears
in
an
issuewild
record
for
that
domain
or
its
delegated
name.
If
no
matching
authorization
exists,
a
compliant
CA
should
refuse
to
issue
a
wildcard
certificate.
The
issue
tag
continues
to
govern
non-wildcard
certificates.
IN
CAA
0
issuewild
"letsencrypt.org".
Multiple
records
can
be
present
for
different
authorities.
You
can
coexist
issuewild
records
with
issue
records
to
authorize
both
wildcard
and
non-wildcard
issuance,
and
you
can
add
iodef
records
to
specify
incident
response
contacts.
and
is
recommended
for
controlling
certificate
issuance.
However,
support
can
vary
by
issuer,
and
misconfigurations
or
DNS
propagation
delays
can
temporarily
affect
issuance.
As
with
all
DNS-based
controls,
CAA
relies
on
correct
delegation
and
visibility
across
the
DNS
ecosystem.