CAI Technology
Book a demo
Menu ☰
aegis · · 6 min read

CAA Records: Prevent TLS Certificate Mis-issuance for Your Domain

Learn what CAA is, how attackers can obtain a valid TLS certificate for your domain in 30 seconds without it, and how to defend your infrastructure with a single DNS record.

CAI Technology · Last reviewed: 5/9/2026
CAA Records: Prevent TLS Certificate Mis-issuance for Your Domain

In Short

CAA (Certification Authority Authorization, RFC 8659) is a DNS record through which you explicitly declare which CAs (Certificate Authorities) are allowed to issue TLS certificates for your domain. Without CAA, any public-trusted CA in the world can issue a valid certificate for yourcompany.com upon request.

Sound abstract? Here are a few real-world incidents:

Adding a CAA record drastically reduces your exposure: only the CAs you explicitly approve will be able to issue certs for your domain. Configuration takes 5 minutes, costs 0 EUR, and is the most accessible anti-MITM measure available.

How an Attacker Can Obtain a Fake Certificate for Your Domain

The “1-Minute DNS Hijack” Scenario

  1. Attacker performs a short BGP hijack or compromises the registrar
  2. Temporarily changes the DNS records for the domain yourcompany.com
  3. Requests a certificate from Let’s Encrypt with HTTP-01 validation (challenge file placed on the hijacked site)
  4. Let’s Encrypt verifies the challenge → issues cert
  5. Attacker restores DNS → now holds a valid certificate for yourcompany.com

With a CAA record allowing only letsencrypt.org, the attacker cannot switch to another CA that might have laxer verification. With a CAA record that completely forbids wildcard issuance (issuewild ";"), the attacker cannot request *.yourcompany.com.

The “Compromised Employee Certificate Platform” Scenario

Many developers have access to cert provisioning platforms (Cloudflare, AWS Certificate Manager, internal PKI). If an account is compromised, the attacker can generate a certificate for any domain in the company’s portfolio. CAA with iodef=mailto: alerts you immediately when a CA refuses a request that does not match your policy — a signal that someone attempted something suspicious.

Anatomy of a CAA Record

yourcompany.com.   IN  CAA  0  issue       "letsencrypt.org"
yourcompany.com.   IN  CAA  0  issue       "digicert.com"
yourcompany.com.   IN  CAA  0  issuewild   ";"
yourcompany.com.   IN  CAA  0  iodef       "mailto:security@yourcompany.com"

Decoded:

Why CAA Is More Important in 2026 Than It Was in 2018

In 2018, only 30% of global CAs checked CAA before issuance. Today, via the CA/Browser Forum Baseline Requirements (revised annually), all public-trusted CAs are mandated to verify CAA. Browsers (Chrome, Firefox, Safari) reject certs issued by CAs that ignore CAA → if you publish a CAA record, it is respected 100%.

This means that a correctly configured setup effectively blocks an entire attack vector that was previously only partially protected.

Implementation in 4 Steps

Step 1 — Inventory of CAs You Use

For most organizations: Let’s Encrypt (auto via certbot/Cloudflare/Caddy) + 1-2 backup CAs for OV/EV certs (DigiCert, Sectigo, GeoTrust). Check in:

Step 2 — Add CAA Records

On most modern registrars (Cloudflare, Route 53, GoDaddy, Namecheap), CAA is supported in the DNS UI. On pfSense / internal BIND: edit zone file directly.

# Add CAA via Cloudflare API (example):
curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CF_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "type": "CAA",
    "name": "yourcompany.com",
    "data": {"flags": 0, "tag": "issue", "value": "letsencrypt.org"}
  }'

Step 3 — Verify Propagation

dig CAA yourcompany.com

Online tool: https://sslmate.com/caa/ — viewer + policy generator.

Step 4 — Effective Test

Try generating a cert via certbot with a different CA (e.g., Sectigo). If blocked → CAA is working correctly. If it passes → CAA policy is not configured correctly or the CA does not respect the specification (rare case).

Subdomains: When Parent CAA Is Inherited

Subdomains without their own CAA inherit the parent domain’s CAA. Best practice: for subdomains with different needs (e.g., mail.yourcompany.com which uses a different cert), publish CAA explicitly there.

mail.yourcompany.com.   IN  CAA  0  issue  "sectigo.com"

Common Confusions

“CAA blocks my automatic renewals.” — Only if you have a CA that is not on your list. If you publish letsencrypt.org and use Let’s Encrypt → renewals work without issues.

“It’s safer to have no CAA than to misconfigure it.” — Absolutely not. No CAA = any CA can issue. Misconfiguration only affects you (cert renewal fails) and is noticed instantly. Completely different risk category.

“My hoster doesn’t support CAA.” — Change your hoster. All modern registrars (those recommended for any serious business) have supported CAA since 2018.

Check Now

ARTEMIS automatically checks for CAA presence in any Site audit (2 EUR) or Full audit (40 EUR). Plus DNSSEC, DMARC, MTA-STS, headers, TLS, and 22+ other checks.

🔗 Complementary CAI Technology Solutions

Technical questions? Write to tehnic@caitech.ro.

We start with a 30-minute conversation.

Free AI-readiness audit for companies with 50+ employees. We reply within 24 hours.

Open contact form →