The CAA Record: Your Domain's Bouncer

Certificate Authority Authorization (CAA) is a DNS record type (RFC 8659) that lets domain owners declare which certificate authorities (CAs) are permitted to issue certificates for their domain. Before issuing a certificate, a compliant CA must check for CAA records and refuse issuance if it is not listed. This is a simple, powerful control that prevents unauthorized certificate issuance — whether from a compromised CA, a social-engineering attack, or an automated validation bypass.

The record syntax is minimal. A CAA record contains a flag byte, a tag (usually "issue" or "issuewild"), and a value specifying the CA's domain. For example, setting `0 issue "letsencrypt.org"` means only Let's Encrypt can issue standard certificates, while `0 issuewild ";"` blocks all wildcard certificate issuance entirely. You can stack multiple CAA records to authorize several CAs, and the "iodef" tag lets you specify an email or URL for violation reports.

Since September 2017, all publicly trusted CAs are required to check CAA records before issuance. If no CAA record exists, any CA can issue — which is the default state for most domains. Adding CAA records takes less than a minute and provides a meaningful defense-in-depth layer alongside Certificate Transparency logs and DNSSEC. It is one of the highest-value, lowest-effort DNS security configurations you can make.