Add CAA DNS record to your domains

CAA is an IETF standard that controls which certificate authorities (CAs) can issue certificates for your domain.

Certificate authorities (CAs) will check first the CAA record for the domain. If the record does not matches the specific values for that authority, it will refuse to issue the certificate.

The CAA record was introduced to prevent vulnerabilities in the certificate authority validation systems.

The Certification Authority Authorization (CAA) DNS Resource Record
allows a DNS domain name holder to specify the Certification
Authorities (CAs) authorized to issue certificates for that domain.
Publication of CAA Resource Records allows a public Certification
Authority to implement additional controls to reduce the risk of
unintended certificate mis-issue.

RFC 6844

A CAA DNS record will look like:

plothost.com.	IN	CAA	0 issue sectigo.com

Check with your CA, what values you should use for the CAA record. We put some links to a few of CA in the Resources section of this article.

A simple tool for generating CAA records according to your certificate authority is here https://sslmate.com/caa/

caa dns record
CAA DNS Record

Resources:
RFC 6844
DigiCert CAA
Sectigo CAA
LetsEncrypt CAA

Leave a Reply