Using CAA records will ensure your domain/s aren’t issued any SSL certificate/s you didn’t apply for — whether malicious or accidental.
What is CAA?
CA stands for Certification Authority — an entity that issues SSL Certificates.
CAA stands for Certification Authority Authorization — a mechanism where you choose which Certificate Authorities can issue your domain SSL Certificate/s.
You do this by adding a CAA record to your DNS for each Certification Authority you wish to authorize.
Why use CAA?
To ensure that only your chosen Certificate Authorities can issue SSL Certificates to your domains.
As a result, you reduce the risk of fraudulent SSL Certificates being issued to your domain/s.
How does it work?
When issuing an SSL Certificate to your domain, a Certification Authority will first check the domain’s CAA records for itself.
If present, it will issue your SSL Certificate.
Otherwise, it will block the request and bar itself from issuing SSL Certificates to your domain.
If you add the CAA record later, simply contact your SSL vendor or CA and request that they check your records again.
If no CAA records are on your domain’s DNS, any Certification Authority will be able to issue SSL Certificates to your domain by default.
However, as soon as you add one CAA record, all others are blocked until added.
Checking your CAA records
To check your current CAA records, simply visit Google’s G Suite Toolbox and enter your domain name in the entry field: toolbox.googleapps.com/apps/dig/#CAA/
As of September 8th 2017 all Certification Authorities are required to check for their record before issuing a domain an SSL Certificate.
A simple internet search will reveal your favored Certification Authority’s CAA record names.
These are usually as simple as example.com and exampleca.com.
Mitchell has a Bachelor of Arts with Majors in Journalism and Foreign Relations; and a Diploma of Digital Design.