Why a missing CAA record lets the wrong authority issue your certs

Your site has HTTPS. The padlock is there, the cert renews itself through Let's Encrypt or your host, and you have not thought about certificates since you set it up. Good. That part is working.

Here's the part nobody set up: which certificate authorities are allowed to issue certs for your domain? If you've never published a CAA record, the answer is all of them. Every public CA on earth is permitted to mint a valid, browser-trusted certificate for yourdomain.com, and you'd find out from a transparency log, if you happened to be watching one.

What CAA does, and what its absence means

CAA stands for Certification Authority Authorization. It's a DNS record that names which CAs you've decided are allowed to issue certificates for your domain. A public CA is supposed to check it before issuing. The check is mandatory in the rules CAs operate under, so a compliant authority that sees a CAA record listing only Let's Encrypt will refuse to issue a cert to anyone asking through a different CA.

The catch is what happens when there's no record. CAA is allow-list by presence. If you publish one naming letsencrypt.org, every other CA is supposed to decline. If you publish nothing, there's no list to consult, and the rule reads as "no restriction." An absent CAA record is a green light to every authority at once. Hundreds of CAs are trusted by browsers, and without CAA you've implicitly authorized all of them.

What this opens, concretely

CAA narrows the blast radius of a few things going wrong, and they're the kind of thing you don't control.

A CA can be tricked. Domain validation, the proof that you control the domain, has been fooled before through DNS weaknesses, hijacked email, and routing attacks. If an attacker convinces any single trusted CA that they control your domain, that CA issues them a real certificate. With CAA naming only your CA, the other authorities they might target are off the table, because a compliant CA checks the record and refuses. You've cut the number of CAs that can be social-engineered into issuing your cert from "all of them" down to "the ones you actually use."

A CA can also be compromised or simply make a mistake. Authorities have mis-issued certificates by error and have been breached outright. CAA doesn't make any single CA safer, but it shrinks how many of them are a problem for you specifically.

This stacks with the dangling-subdomain problem. When someone takes over a subdomain whose service you abandoned, one of the first things they do is get a valid cert for it so the padlock looks right. A CAA record on your domain constrains which CA can issue that cert, which is one more bit of friction on an attack that otherwise produces a genuine, trusted lock icon on a hostile page.

To be clear about scope: CAA is a meaningful layer with real limits. It depends on CAs honoring it, it doesn't revoke certs that already exist, and a CA that ignores the rules can still mis-issue. What it does is raise the cost and cut the surface. That's the honest claim.

How to check, then add it

CAA is public DNS, so you read it the same way an attacker checks whether you've bothered:

dig +short CAA yourdomain.com

Empty output means no CAA record, and every CA is authorized by default. If you get lines back, read which authorities they name and make sure that list matches the CAs you actually use, including whatever your CDN or host issues through on your behalf.

; nothing published
; result: every public CA may issue for yourdomain.com

Add an issue line for each CA you genuinely rely on. If you're on Let's Encrypt, name letsencrypt.org. If your CDN or cloud issues certs for you, include theirs, AWS issues through amazon.com, for instance. Get this wrong by omitting a CA you depend on and your next automated renewal fails, so list every issuer before you publish. The iodef line is worth adding too: it gives CAs an address to report rejected issuance attempts to, which is a free early warning that someone tried to get a cert for your domain through an authority you didn't authorize.

SurfaceCheckr reads your CAA record from the public DNS, the same lookup any CA or attacker performs, and tells you whether one exists and which authorities it names. We're external and passive, so we report what you've published to the world. We can't issue or block certificates for you, and we won't pretend to. But a domain with no CAA record at all is a quick thing to spot and a one-line thing to fix.