Low severity

Missing CAA Record

A CAA (Certificate Authority Authorization) record lists the CAs allowed to issue certificates for your domain. Every public CA is required by the CA/Browser Forum Baseline Requirements to check CAA before issuance.

Business risk

Without a CAA record, any public CA can issue a certificate for your domain to anyone who passes that CA's domain validation (usually HTTP-01 or DNS-01). A compromised registrar account, a DNS hijack during validation, or an insider at a smaller CA can produce a certificate that every browser trusts, for any domain. CAA is the only technical control that prevents this across the whole CA ecosystem, and it is trivial to add.

Technical details

Publish CAA at the apex (`yourdomain.com`). The record is inherited by subdomains unless a subdomain publishes its own. List only CAs you actually use; if you use Let's Encrypt, that is `letsencrypt.org`. Add an `iodef` entry so CAs can notify your security team of blocked issuance attempts. Multiple records with the same tag are additive, so listing two CAs means either can issue.

How to detect it

CAA records live at the apex of your zone (`yourdomain.com`, not a subdomain). `dig CAA` shows what is published. No record means any public CA may issue a cert for your domain - CAA is the only DNS-level control that prevents this.

Read CAA records

dig +short CAA yourdomain.com

Use the SSLMate generator for your exact stack

https://sslmate.com/caa/?domain=yourdomain.com

Verify that your actual CA is in the allowlist

openssl s_client -connect yourdomain.com:443 </dev/null 2>/dev/null | openssl x509 -noout -issuer

Common pitfalls

Listing a CA by marketing name instead of its published identifier. CAA uses exact strings - `letsencrypt.org`, not "Let's Encrypt". `pki.goog`, not "Google". SSLMate's generator catches these.
Forgetting `issuewild` for wildcard certs. `issue` covers exact-name certs; `issuewild` covers `*.yourdomain.com`. Issuing a wildcard from a CA only listed under `issue` fails.
Overlooking Cloudflare Universal SSL. Cloudflare issues its free certs via Let's Encrypt or Google Trust Services - list both (`letsencrypt.org` and `pki.goog`), not "cloudflare.com".
Setting CAA on every subdomain. CAA is inherited from the closest ancestor - setting it at the apex is usually enough. Only set on subdomains if you need a different policy there.
Omitting `iodef`. Without an `iodef` entry, CAs cannot notify you when they block issuance attempts - you lose the early-warning signal for hijack attempts.

Remediation guide

Most common case. Publish as CAA records at the apex.

yourdomain.com.  IN  CAA  0 issue "letsencrypt.org"
yourdomain.com.  IN  CAA  0 iodef "mailto:[email protected]"

text

External references

Frequently asked questions

Do I need both issue and issuewild?

If you use wildcard certs, yes. `issue "letsencrypt.org"` alone does not authorize a wildcard cert - you also need `issuewild "letsencrypt.org"`. If you do not use wildcards, leave `issuewild` out to implicitly disallow them.

My CA is not on the common list. What identifier do I use?

Check the CA's own documentation under "CAA record" or "DNS CAA configuration". It is always a domain name, never a human-readable label. If the CA does not publish their identifier, consider whether you should be using them.

Does CAA prevent all mis-issuance?

No - it prevents mis-issuance by compliant public CAs. An attacker who compromises a CA's issuance process, a CA that ignores CAA, or a private CA outside the CA/Browser Forum rules will not be stopped. CAA is a strong control but not a complete one.

Keep going

Related guide

Missing DNSSEC

Medium severity · DNS

High severity · Transport

Deep guide

HSTS: A Complete, Rollback-Safe Setup Guide

The max-age ramp, subdomain audit and preload submission - in the order they won't burn you.

Free tool

DNSSEC Checker

Follow the chain of trust from the root down to your zone.

Verify your fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.

Business risk

Technical details

How to detect it

Read CAA records

dig +short CAA yourdomain.com

Use the SSLMate generator for your exact stack

https://sslmate.com/caa/?domain=yourdomain.com

Verify that your actual CA is in the allowlist

openssl s_client -connect yourdomain.com:443 </dev/null 2>/dev/null | openssl x509 -noout -issuer

Common pitfalls

Listing a CA by marketing name instead of its published identifier. CAA uses exact strings - `letsencrypt.org`, not "Let's Encrypt". `pki.goog`, not "Google". SSLMate's generator catches these.

Forgetting `issuewild` for wildcard certs. `issue` covers exact-name certs; `issuewild` covers `*.yourdomain.com`. Issuing a wildcard from a CA only listed under `issue` fails.

Overlooking Cloudflare Universal SSL. Cloudflare issues its free certs via Let's Encrypt or Google Trust Services - list both (`letsencrypt.org` and `pki.goog`), not "cloudflare.com".

Setting CAA on every subdomain. CAA is inherited from the closest ancestor - setting it at the apex is usually enough. Only set on subdomains if you need a different policy there.

Omitting `iodef`. Without an `iodef` entry, CAs cannot notify you when they block issuance attempts - you lose the early-warning signal for hijack attempts.

Remediation guide

Most common case. Publish as CAA records at the apex.

yourdomain.com.  IN  CAA  0 issue "letsencrypt.org"
yourdomain.com.  IN  CAA  0 iodef "mailto:[email protected]"

text

Frequently asked questions

Do I need both issue and issuewild?

My CA is not on the common list. What identifier do I use?

Does CAA prevent all mis-issuance?