SSL certificates are the backbone of internet security, but if an attacker obtains a fake certificate for your domain, no green HTTPS lock will save you. CAA (Certification Authority Authorization) record was created to prevent this. It announces, via DNS, the list of CAs the domain owner allows, and every other CA must refuse to issue.
How CAA works
Since 2017, CAA check is mandatory for every CA. Let's Encrypt, DigiCert, Sectigo, GlobalSign — all must verify CAA before issuing. If the record does not list a CA, that CA must refuse. This is a Baseline Requirements rule, and breaking it can cost a CA its license.
Format: sayt.uz IN CAA 0 issue "letsencrypt.org". This authorizes only Let's Encrypt to issue for sayt.uz. Any other CA's attempt will be rejected. To allow several CAs, add multiple records.
Tags and parameters
Three main tags: issue, issuewild and iodef. Issue is for regular certificates, issuewild for wildcards. To forbid wildcards entirely, set issuewild ";". Iodef sets the email for violation notifications.
A full setup may look like: sayt.uz CAA 0 issue "letsencrypt.org", sayt.uz CAA 0 issuewild "letsencrypt.org", sayt.uz CAA 0 iodef "mailto:security@sayt.uz". Only Let's Encrypt is allowed and you will be notified of any attempt.
Phishing protection
CAA's biggest benefit is preventing accidental issuance by another CA or an attacker who got into the DNS panel. Imagine marketing wants a wildcard via Cloudflare, but policy says only corporate CA. CAA will automatically stop that issuance.
Through iodef, CAA also reports violation attempts. The CA must email a notification for each refusal. This lets you detect DNS spoofing or insider threats early.
Setup details
CAA is most effective combined with DNSSEC. Without DNSSEC, an attacker could spoof the DNS reply and present their own CA. Serious organizations apply CAA and DNSSEC together.
Another point — CAA is checked only at issuance and does not affect existing certificates. If you already have Let's Encrypt and then point CAA to a different CA, the current certificate keeps working, but you must adjust permission before renewal.
Sayt.uz practice
18 percent of clients use CAA, growing to 31 percent last year. In 2032 CAA blocked 4 unauthorized issuance attempts. With domain registration (from 145,000 UZS per year) we configure CAA for free — if SSL is also issued through us, the matching CA is added automatically. For corporate clients, the CAA + DNSSEC package is an extra 95,000 UZS per year with iodef monitoring and monthly security reports.