Crashtest Security Blog

Domain Providers and CAA

Sep 12, 2017 8:16:00 AM / by Janosch Maier

Certificate Authorities are not the Problem


To increase the security of SSL/TLS encryption in the internet, website administrators can set Certificate Authority Authorization (CAA) records. These DNS records determine which certificate authority (CA) is allowed to issue certificates for this domain. Since September 8th, it is mandatory for CAs to check the existence of a ACC record and comply to its content.

Currently there are still some problems such as CAs that do not check the CAA records at all. However this is not the biggest issue: Many domain provider have not yet updated their software to enable setting CAA records. Therefore administrators simply cannot set the CAA records.


How can I set CAA records?

To increase the security for your website, go to your DNS provider’s configuration website and choose to create a new CAA record. To only allow letsencrypt to issue certificates for your domain, use the following record:

Name Type Value Value CAA 0 issue ""

Check out our knowledge base for more information.


Verify the record

To verify whether the CAA record is set correctly, you can use our free web application security scanner. It will show you the following message in case that the CAA record is not set:


Topics: VulnerabilityAssessment

Janosch Maier

Written by Janosch Maier

Co-Founder @ Crashtest Security. I write and give workshops regarding Web Security

For more information on all topics around continuous security, visit our continuous security page:

Continuous Security Topics