Skip to content

The CAA Record: Who may issue certificates for your domain?

Without a CAA record, any certificate authority in the world can issue a valid certificate for your domain. That's not a bug – that's the default.

What is a CAA record?

The CAA record (Certificate Authority Authorization) is a whitelist. It says: "Only these certificate authorities may issue TLS certificates for my domain." Every reputable CA is required to check the CAA record before issuing a certificate.

A typical CAA record looks like this:

example.com. CAA 0 issue "letsencrypt.org"

This means: Only Let's Encrypt may issue certificates for example.com. All other CAs must refuse.

What happens without a CAA record?

Nothing good. Without a CAA record, there's no restriction. Any of the hundreds of certificate authorities worldwide may issue a valid certificate for your domain – as long as they pass domain validation.

That's the default. And most domains don't have a CAA record.

This means: If an attacker can pass the DNS challenge (e.g., because they briefly control DNS), they can get a certificate from any CA. Your browser shows the green lock. Your users notice nothing.

What does an attack look like?

Scenario 1: An attacker removes your CAA record. Now they can request a certificate from any CA – not just the one you normally use. They choose a CA with weak validation or one where they can manipulate the verification.

Scenario 2: The attacker modifies your CAA record to allow an additional CA. More subtle – your Let's Encrypt keeps working, but now another CA may also issue certificates. The attacker uses this CA to obtain a parallel certificate.

Scenario 3: No attack, but a risk. You haven't set a CAA record. An employee accidentally orders a certificate from a different CA. Or an old process still uses a CA you no longer intended to use. Without CAA, there are no guardrails.

CAA and Certificate Transparency

Certificate Transparency (CT) logs publicly record every issued certificate. That's good – but it's reactive. You only learn after issuance that someone has a certificate for your domain.

CAA is preventive. It blocks issuance upfront. Both together create a strong defense: CAA limits who may issue. CT logs show whether someone ignored that limit.

Why CAA changes are critical

CAA records rarely change. You define which CA you use once, and it stays. A provider switch happens maybe every few years.

That's why any change to the CAA record is a signal:

• Record removed? Someone lifted the restriction.
• New CA added? Someone wants certificates from elsewhere.
• CA changed? Either a planned switch – or not.

In every case, you want to know. Immediately.

What Driftguard detects

Driftguard captures your CAA records as a baseline: Which CAs are allowed, which flags are set. Every check compares against it. Removed records, new CAs, changed policies – everything is detected.

Combined with TLS monitoring, you get the full picture: Driftguard sees when the rules change (CAA) and when new certificates appear (TLS monitoring). Both together make attacks on your encryption chain visible.