Introduction

The internet is built on trust, and HTTPS is a cornerstone of that trust. However, many domain owners unknowingly leave a critical security gap wide open by neglecting to configure CAA (Certificate Authority Authorization) records in their DNS settings. Without CAA records, any Certificate Authority (CA) can issue an SSL/TLS certificate for your domain, whether you authorized it or not.

This guide explores the importance of CAA records, why they should be mandatory, and how to set them up correctly with best practices and lessons learned.

1. What Are CAA Records and Why Do They Matter?

CAA records are a type of DNS record that allows domain owners to specify which Certificate Authorities are authorized to issue SSL/TLS certificates for their domain. They were introduced to:

• Reduce Unauthorized Certificate Issuance: Prevent rogue or compromised CAs from issuing fraudulent certificates.
• Prevent Phishing and Spoofing Attacks: Protect your domain from being impersonated.
• Notify Owners of Unauthorized Attempts: Enable notifications via optional IODEF records.

How They Work

A CAA record consists of:

• Domain Name: The domain the record applies to.
• Flag: Typically set to 0 for most use cases.
• Tag: Specifies the purpose of the record (issue, issuewild, or iodef).
• Value: The CA allowed to issue certificates (e.g., letsencrypt.org).

Example CAA Records

For a domain that exclusively uses Let’s Encrypt:

yourdomain.eu. IN CAA 0 issue "letsencrypt.org"
yourdomain.eu. IN CAA 0 issuewild "letsencrypt.org"
yourdomain.eu. IN CAA 0 iodef "mailto:email@yourdomain.eu"

2. The Problem: No CAA = Open Door for Fraud

Without CAA records:

1. Any CA Can Issue Certificates: Any CA, whether reputable, negligent, or even malicious, can issue certificates for your domain. This allows attackers to:
   • Impersonate your website.
   • Create phishing sites that look legitimate.
   • Intercept encrypted communications using MITM attacks.
2. Loss of Control: A domain without CAA records essentially tells the internet, “Any CA can issue certificates for me.” This means you rely entirely on the security practices of CAs, which vary widely.
3. Harder to Detect Fraud: Fraudulent certificates issued without your knowledge are difficult to identify unless you actively monitor certificate transparency logs.

Real-World Example

Imagine you own yourdomain.eu, a trusted login portal. An attacker requests a certificate for your domain from a negligent or rogue CA. The CA issues the certificate because there’s nothing stopping it. The attacker then uses this certificate to create a fake version of your site and steals users’ credentials—all while appearing legitimate.

3. Why Do You Need BOTH issue and issuewild Records?

issue: Authorizes a CA to issue standard certificates for specific domain names like yourdomain.eu or mail.yourdomain.eu.

issuewild: Authorizes a CA to issue wildcard certificates for all subdomains, such as *.yourdomain.eu.

Why Both?

• If you only configure issue: Wildcard certificates (e.g., *.yourdomain.eu) will be blocked.
• If you only configure issuewild: Standard certificates (e.g., yourdomain.eu) will be blocked.

Best Practice

Always configure both issue and issuewild records to ensure complete coverage:

yourdomain.eu. IN CAA 0 issue "letsencrypt.org"
yourdomain.eu. IN CAA 0 issuewild "letsencrypt.org"

4. The Importance of an IODEF Record

The IODEF record is an optional but highly recommended addition to your CAA setup. It enables you to receive notifications if a CA rejects a certificate request because it wasn’t authorized by your CAA records.

Example

yourdomain.eu. IN CAA 0 iodef "mailto:email@yourdomain.eu"

Why It Matters

• Get Notified of Unauthorized Attempts: Know immediately if someone tries to obtain a certificate for your domain from an unauthorized CA.
• Quickly Respond to Threats: Monitor and mitigate potential risks to your domain.

5. What If Your DNS Provider Doesn’t Support CAA Records?

If your DNS provider doesn’t support CAA records, your domain is at risk. Here’s what you can do:

Option 1: Switch to a Provider That Supports CAA

Move to a DNS provider that supports modern security features, such as:

• Cloudflare
• Amazon Route 53
• Google Cloud DNS
• DNSimple

Option 2: Use a Third-Party DNS Service

Delegate your DNS management to a third-party service while keeping your current registrar. Services like Cloudflare or Route 53 can manage your DNS records.

Option 3: Advocate for CAA Support

Contact your provider and request support for CAA records. Highlight how essential they are for security.

Temporary Mitigation

Until you resolve the issue:

1. Monitor Certificate Transparency Logs: Use tools like CertSpotter.
2. Enable DNSSEC: Secure your DNS zone to prevent tampering.

6. Step-by-Step: Setting Up CAA Records

Step 1: Add CAA Records for Standard and Wildcard Certificates

Log into your DNS provider and create the following records:

yourdomain.eu. IN CAA 0 issue "letsencrypt.org"
yourdomain.eu. IN CAA 0 issuewild "letsencrypt.org"

Step 2: Add an IODEF Record

To receive notifications of unauthorized certificate requests:

yourdomain.eu. IN CAA 0 iodef "mailto:email@yourdomain.eu"

Step 3: Verify Your Configuration

Use these tools to confirm your setup:

• WhatsMyDNS CAA Checker
• NsLookup CAA Checker

7. Lessons Learned

1. Always Configure Both issue and issuewild: Without both, you risk blocking valid certificates for your use cases.
2. Add an IODEF Record: Gain visibility into unauthorized certificate requests and improve your security posture.
3. Choose a Modern DNS Provider: Security features like CAA are non-negotiable in today’s landscape.
4. Test Regularly: Verify your CAA setup periodically to ensure it’s working as intended.

8. Final Thoughts

Configuring CAA records is a simple yet critical step in securing your domain. By restricting which CAs can issue certificates and enabling notifications for unauthorized requests, you significantly reduce the risk of fraud and abuse.

Remember:
No CAA = Open Door for Fraud. Don’t leave your domain vulnerable—secure it today with issue, issuewild, and iodef records.

Next Steps

• Check if your domain has CAA records using tools like WhatsMyDNS or NsLookup.
• Add or update CAA records in your DNS settings.
• Share this knowledge: Help others protect their domains by explaining the importance of CAA records.

Securing your domain is your responsibility—close the door to fraud today.

• LinkedIn
• GitHub
• Reddit
• Facebook
• YouTube
• X
• Instagram