Are CAA records worth it?

Continuing the discussion from Failed to add CAA record:

Should people add CAA records to any domain they control DNS for if they can be sure that they only will ever use a single CA? Also, what can CAA records do, and what can’t be done with CAA records alone?

2 Likes

CAA records are used to instruct CAs whether they are allowed to issue certificates for the domain or not.
For example, I can say that only Let’s Encrypt may issue certificates for my domains (this of course assumes that each CA respects CAA records). I can also specify an e-mail address that will be contacted in the event of violations.
In addition, Let’s Encrypt makes it possible to link the issuance of certificates to a specific account (see RFC 8657 - Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding). This would have made attacks such as those described in https://notes.valdikss.org.ru/jabber.ru-mitm/ impossible.

1 Like