Skip to main content

Enable missing SSL CAA records

The DNS zone for the domain does not specify any Certification Authority Authorization (CAA) record. All certificate authorities (CAs) can issue certificates for this domain.

Security assessment

Security_Assessment_ EnablemissingSSLCAArecord

CVSS vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

Vulnerability information

The DNS zone for the domain does not specify any Certification Authority Authorization (CAA) record. All certificate authorities (CAs) can issue certificates for this domain. To decrease the risk of rogue certificates, append the CAA settings to the DNS records.

Prevent attacks

To enable CAA, you need to specify the appropriate record in your DNS server. For example, the following records allow only Let's Encrypt to issue certificates for your domain example.org.

example.org.  CAA 0 issue "letsencrypt.org"

A free online tool can help you to generate the correct CAA record: https://sslmate.com/caa/.

If you do not have direct access to your DNS server, you need to ask your DNS provider to set this entry. Creating the record can be typically done in their configuration interface.

dnsimple

With dnsimple, you can add the CAA record in the web interface. Then, use the Record editor and add your CA as the provider for your certificate. For more information, go to their website.