CAA Record does does not allow double-quotes

My domain is: thechief.com

Adding the CAA record to my domain at Network Solutions with value 0 issue "letsencrypt.org" does not allow double quotes. It says to escape a double quote with a backslash. I did that. Will it work?

So far I don't see any CAA record. But, yes, you must follow your registrar's instructions for entering data in the format it expects. Not all do it the same way. I use AWS Route53 and no escaping of quoted value is necessary.

What is important is that it looks correct when it is queried. And, here too different DNS query tools may show the result differently.

A good way to check your format is to compare a known valid setting with yours. For example, use the https://unboundtest.com DNS query tool for this community's domain. You will see:

;; ANSWER SECTION:
community.letsencrypt.org.	0	IN	CNAME	letsencrypt.hosted-by-discourse.com.
letsencrypt.hosted-by-discourse.com.	0	IN	CAA	0 issue "letsencrypt.org"

Your CAA value should look the same once your DNS provider is updated. That is, you should see this value

0 issue "letsencrypt.org"

Another good way to test is once your CAA record does appear do a test run of getting a certificate. You didn't give any info about how you did that. If you had I could have given you advice. I re-posted the form below in case you need help with that.

=================================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

you didn't made a CAA record: you made a txt record that says 0 issue "letsencrypt.org"

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> txt thechief.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48471
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;thechief.com.                  IN      TXT

;; ANSWER SECTION:
thechief.com.           7200    IN      TXT     "0 issue \"letsencrypt.org\""
thechief.com.           3600    IN      TXT     "v=spf1 include:emailsrvr.com ~all"

;; Query time: 549 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Sun Apr 13 15:42:26 KST 2025
;; MSG SIZE  rcvd: 125

Thanks for the reply. It appears that Network Solutions does not have the capability of adding CAA records. I will accomplish my SSH and Certificate stuff using Cloudflare proxy.

Dudley

A CAA record is not required to get a certificate. It just allows you to restrict cert issuance to specific Certificate Authorities. See: Certificate Authority Authorization (CAA) - Let's Encrypt

And, I believe Network Solutions does support CAA. See their docs: https://www.networksolutions.com/help/article/manage-dns-adns-records

Using Cloudflare's DNS "proxy" service is fine. But, Cloudflare will choose which Certificate Authority to use for its CDN "edge". You are still faced with getting a cert for your Origin Server unless you use Cloudflare's Origin CA cert. This is a significantly different structure than just running your own server. It is not bad or wrong - just very different and sometimes more complex.

The confusion OP had is probably due to two things:

1- Step 4 says:

On the domain page, go down to the Advanced Tools section"

2- The very last thing all the way down in the docs reads:

Note: There is no option to add/edit a CAA record in the Classic View.

I didn't click through all the sections on that page, but I clicked through at least 5 and none of them had that disclaimer.

Looking at those docs, I am not surprised the OP got confused or did not see an option. They may be using the "Classic View"

Agree their docs are not that great. But, the page I linked had a topic for CAA which covered the Advanced view.

image1581×507 27.2 KB

I know. Click the CAA bit and scroll down all the way to the bottom of the section that expands. That's where they write at the very end **Note:** There is no option to add/edit a CAA record in the Classic View.

I think we're crossing some wires here. My point is that CAA records are only available on the "advanced view", but apparently not on the "classic view". The OP likely did not have a CAA option visible on their dashboard.

I haven't used NetworkSolutions in decades, but my initial interpretation is that "advanced view" and "classic view" is one thing, and "advanced records" (which is what your docs are) is another. The docs suggest all of those things are edited on the "advanced records", but only the CAA has a note about "classic view" vs "advanced view". You might be more familiar with NetworkSolutions so these might be the same, but several services I use have two UIs - a new or advanced interface, and a classic/legacy interface - and certain actions are only available on one or the other.

It's very possible they didn't see that in their original view. Or, got confused by earlier instructions which hinted CAA records were not possible. I'd already agreed those docs could be better. I'm not sure the value of speculating on the cause of their CAA problem is that productive.

It sounds like we agree the link I provided describing the Advanced Tools should work to add a CAA record. If the recipe on that page does not allow managing the CAA record they should ask them about that.