Allow CAA records in DH's DNS


DNS certification authority authorization (CAA) resource records (rfc6844) allow us to declare which certificate authorities are allowed to issue a certificate for a domain.
SSL Labs is already checking for CAA records.


Please add this to the Web Hosting Control Panel. I’ve already had this come up from a security audit.


Did you contact Dreamhost support? They might be able to add for you. The more requests they get for something like that the faster you will see customer level support via the panel.


+1. See

And yes, I just submitted my support request for it too.


I, too, would like this capability.


And as a follow-up, support says CAA DNS records are not currently supported, so asking them for it just underscores the need for this suggestion at this point.


Hello folks, thanks for chiming in on this one. The issue is on DreamHost developer’s radar. I don’ t have an ETA yet but I’ll be reporting here any progress I will see on the internal issue.


It is October now, and the initial request was made back in April. The DNS resource type ‘CAA’ is an RFC spec that has been included in BIND since 2016. It is supported by most all other registrars. See:

This needs to be a priority. Do I really need to change registrars to enable CAA security? Please fix this Dreamhost.


It is now December of 2017 with no current support in the panel to add CAA records. I’ve tweeted @dreamhostcare and am waiting to hear back. If I have to, I’ll open a support ticket to see if they can manually add the record for me.


Since Lets Encrypt is auto supported. Would be great if the CAA record also can be auto added for DNS domains hosted with Dreamhost.


Did you receive a reply?


They said they have no plan to add support for CAA:


Didn’t this become like required in Sept of 2017…

Seems crazy that this is not supported yet.


There are requests that have been sitting for years and commitments from Dreamhost that have been waiting for years.

I would not expect anything anytime soon Dreamhost is slow to add features.


Well pretty sure this is like a requirement for CA’s to issue certs, they have to check the CAA record in the dns for the domain. So if they do not support it how and the F is anyone going to use them for dns for their domains? How are they going to run their own ACME certs on your domains, etc. If you can not put in the CAA record…