CAA Records
What This Check Does
The CAA Records check verifies that Certificate Authority Authorization (CAA) DNS records exist for your domain. CAA records specify which Certificate Authorities (CAs) are permitted to issue SSL/TLS certificates for your domain, providing an important layer of control over your certificate ecosystem.
DNS Spy queries for CAA records at your domain and verifies that at least one valid CAA record exists. If no CAA records are found, this check fails.
Why It Matters
Without CAA records, any Certificate Authority in the world can issue an SSL/TLS certificate for your domain. This means a compromised or rogue CA could issue a fraudulent certificate that could be used for man-in-the-middle attacks against your users. CAA records significantly reduce this risk by explicitly listing only the CAs you authorize.
Since September 2017, all CAs are required to check CAA records before issuing certificates (per CA/Browser Forum Ballot 187). If a CAA record exists and does not authorize the requesting CA, the certificate must not be issued. This makes CAA records an effective, low-effort security control.
CAA records also support certificate management best practices by enforcing organizational policies about which CAs are approved for use. This helps prevent shadow IT certificate issuance and ensures consistency.
Good vs. Bad Configuration
Bad Configuration
No CAA records exist for example.com. Any CA can issue certificates for your domain without restriction.
Good Configuration
example.com has CAA records: 0 issue "letsencrypt.org" and 0 iodef "mailto:security@example.com". Only Let's Encrypt can issue certificates, and any policy violations are reported to your security team.
How DNS Spy Monitors This
DNS Spy queries for CAA records during each monitoring cycle. If no CAA records are found, an alert is triggered. DNS Spy also tracks changes to your CAA records, notifying you if authorized CAs are added or removed, ensuring your certificate issuance policy remains intentional and up to date.
