Hostinger

CAA (Certification Authority Authorization) records are a type of DNS record used by SSL certificates to indicate which certificate authorities can issue SSL/TLS certificates for your domain.

If your domain is <a href="https://support.hostinger.com/en/articles/1863967-how-to-point-domain-to-hostinger">pointing to Hostinger</a> by nameservers, the required CAA records are added by default.

In case you need additional records - for example, to install a <a href="https://support.hostinger.com/en/articles/1583785-how-to-install-a-custom-ssl">custom SSL</a>, go to your domain's <a href="https://support.hostinger.com/en/articles/1583249-how-can-i-manage-my-dns-records">DNS Zone Editor</a>, scroll to the Manage DNS records area, and choose CAA on the type of record:

- For your domain, insert @ as Name
- For subdomains, insert the subdomain's name, eg. if you have a subdomain store.domain.tld, use store as name

Flag - the default value is 0. If you use 1, it can block the validation in case the tag is unknown by the Certificate Authority (CA)

Tag - you can choose from the following:

- issue: The CA is authorized to provide a certificate for this domain
- issuewild: the CA can issue wildcard certificates for this domain
- iodef: URL that the CA can use to send an error message

CA domain - specify the Certificate Authority. Both the tag and the CA domain should be provided by your certificate issuer

TTL - the default value is 14400 seconds

- Name
 - For your domain, insert @ as Name
 - For subdomains, insert the subdomain's name, eg. if you have a subdomain store.domain.tld, use store as name
- Flag - the default value is 0. If you use 1, it can block the validation in case the tag is unknown by the Certificate Authority (CA)
- Tag - you can choose from the following:
 - issue: The CA is authorized to provide a certificate for this domain
 - issuewild: the CA can issue wildcard certificates for this domain
 - iodef: URL that the CA can use to send an error message
- CA domain - specify the Certificate Authority. Both the tag and the CA domain should be provided by your certificate issuer
- TTL - the default value is 14400 seconds

In case your domain is pointing somewhere else by nameservers, you can add the default CAA records for Hostinger on <a href="https://support.hostinger.com/en/articles/4410887-how-to-make-dns-record-changes-in-other-registrars-hosting-providers">your domain’s DNS Zone</a> using the following values:

If you use <a href="https://support.hostinger.com/en/articles/4741545-how-to-start-using-cloudflare">Cloudflare</a>, set the Proxy status to DNS only for all CAA records.

- If you use <a href="https://support.hostinger.com/en/articles/4741545-how-to-start-using-cloudflare">Cloudflare</a>, set the Proxy status to DNS only for all CAA records.

It is recommended to keep all the default CAA records and not delete them, as it can prevent the SSL to install successfully. To edit or delete a CAA record:

For domains pointing to Hostinger by NS records - check this article: <a href="https://support.hostinger.com/en/articles/1583249-how-to-manage-my-dns-records-on-hpanel">How to manage DNS records at Hostinger</a>

If your domain is pointing elsewhere by NS records, go to your domain's DNS Zone management on the provider you pointed the domain to and <a href="https://support.hostinger.com/en/articles/4410887-dns-record-changes-in-other-registrars-hosting-providers">manage them from there</a>

- For domains pointing to Hostinger by NS records - check this article: <a href="https://support.hostinger.com/en/articles/1583249-how-to-manage-my-dns-records-on-hpanel">How to manage DNS records at Hostinger</a>
- If your domain is pointing elsewhere by NS records, go to your domain's DNS Zone management on the provider you pointed the domain to and <a href="https://support.hostinger.com/en/articles/4410887-dns-record-changes-in-other-registrars-hosting-providers">manage them from there</a>

After applying any changes to your DNS zone, consider up to 24 hours to <a href="https://support.hostinger.com/en/articles/4146975-what-is-dns-propagation">fully propagate</a>.

Name	Content (flag, tag, CA domain)	TTL
@ or subdomain	0 issue digicert.com	1440 or default
@ or subdomain	0 issuewild digicert.com	1440 or default
@ or subdomain	0 issue sectigo.com	1440 or default
@ or subdomain	0 issuewild sectigo.com	1440 or default
@ or subdomain	0 issue letsencrypt.org	1440 or default
@ or subdomain	0 issuewild letsencrypt.org	1440 or default
@ or subdomain	0 issue globalsign.com	1440 or default
@ or subdomain	0 issuewild globalsign.com	1440 or default
@ or subdomain	0 issue comodoca.com	1440 or default
@ or subdomain	0 issuewild comodoca.com	1440 or default
@ or subdomain	0 issue pki.goog	1440 or default
@ or subdomain	0 issuewild pki.goog	1440 or default

How to add CAA records

Which values to use?

How to edit or delete CAA records