CAA Records and Certificate Authority Control
A CAA record is a lesser-known but valuable DNS entry that controls which certificate authorities are permitted to issue SSL certificates for your domain. It adds a layer of protection against someone fraudulently obtaining a certificate in your name.
Though optional, a CAA record is a sensible safeguard for any organisation that takes domain security seriously.
What a CAA Record Does
When a certificate authority is asked to issue a certificate, it checks your CAA record first. If your domain only authorises certain authorities, others must refuse the request.
Why It Helps
By naming only the authorities you actually use, you close off a route attackers might otherwise exploit.
- Limits issuance to authorities you trust.
- Reduces the risk of a mis-issued certificate.
- Can specify an address to be notified of policy violations.
Setting It Up Carefully
The catch is that an overly strict CAA record can block your own future certificates. We make sure every authority you rely on, now and likely in future, is included before enabling it.
If you need a hand with any of this, your Progressive Robot delivery team is ready to help. Raise a ticket from the Support area of your client portal or speak to your account manager and we will guide you through the next steps.