CAA DNS record: lock down who can issue certificates for your domain
Others deliver and disappear. We stay - to govern, harden, monitor, and evolve - turning frameworks into action, not just checklists.
With so much changing across certificate lifecycles both validity periods and validation one of the first things any organisation should do is audit its certificate inventory and consolidate suppliers to reduce administrative overhead. The CAA (Certification Authority Authorization) DNS record is one of the simplest and most effective controls to support that work.
A CAA record is a DNS entry that specifies which certificate authorities are permitted to issue certificates for your domain. Since September 2017, all publicly trusted CAs have been required to check CAA records before issuing, and a CA that ignores them is in breach of CA/Browser Forum rules. Importantly, a CAA record does not affect certificates already issued, which makes it ideal for consolidation: you can tighten future issuance without disrupting anything currently in service.
A CAA record has three parts. The flag is almost always set to 0. A value of 128 sets the "critical" bit, which instructs a CA to refuse issuance if it does not understand the record's tag it is a forward-compatibility safeguard, not the mechanism that allows or denies a vendor. The tag defines what kind of issuance the record governs: issue for standard certificates, issuewild for wildcards, and iodef for notification of rejected attempts. The value names the authorised certificate authority, for example "sectigo.com" or "letsencrypt.org" (always confirm the exact identifier your chosen vendor uses).
Control of who may and may not issue comes from the value, not the flag. You define one record per authorised vendor. Any CA not listed is denied by default, and to authorise no one at all you set the value to a single semicolon.
The outcome is a clear, enforced allow-list of the only third-party certificate providers permitted to issue trusted certificates for your domain. Even if someone inside the organisation attempted to obtain a certificate from an unapproved supplier the classic shadow-IT scenario issuance would simply be refused. It is a small DNS change with a meaningful governance return: tighter supplier control, a smaller attack surface for mis-issuance, and a cleaner estate to manage as lifecycles shorten.
For full guidance on the current certificate lifecycle changes, and on the rapidly arriving challenge of Post-Quantum Cryptography (PQC) and the risks it brings, please reach out to McCormickCo Security.
Contact McCormickCo Security
McCormickCo Security supports organisations in turning asset and endpoint data into meaningful assurance, strengthening submissions, supporting outcomes, and ultimately contributing to the safe and resilient delivery of services.
Contact | McCormickCo Security — Our team can provide further detail on the technical architecture, assurance mapping, and NHS-aligned delivery approach, and support organisations in assessing how this integration can be safely and effectively implemented within their environment.
Downloads
