Are CAA records worth it?

Continuing the discussion from Failed to add CAA record:

Should people add CAA records to any domain they control DNS for if they can be sure that they only will ever use a single CA? Also, what can CAA records do, and what can’t be done with CAA records alone?


CAA records are used to instruct CAs whether they are allowed to issue certificates for the domain or not.
For example, I can say that only Let’s Encrypt may issue certificates for my domains (this of course assumes that each CA respects CAA records). I can also specify an e-mail address that will be contacted in the event of violations.
In addition, Let’s Encrypt makes it possible to link the issuance of certificates to a specific account (see RFC 8657 - Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding). This would have made attacks such as those described in impossible.

1 Like