Published: August 21, 2019
SSL Labs make analyzing the SSL status of your website simple and straightforward. One of the metrics they report is “DNS CAA”, which I wasn’t familiar with. DuckDuckGo search to the rescue!
Essentially, a CAA is a DNS record which let’s a domain owner annotate who is allowed to issue a SSL/TLS certification for said domain. For example, I created a CAA record indicating that “Let’s Encrypt” is allowed to issue certificates for *.briangreunke.com. This prevents other Certificate Authorities from issuing a valid certificate for the domain. If you are feeling masochistic, or enjoy reading RFCs, RFC 1035 has the details.
DigitalOcean has a simple guide on how to add this, but if you’ve ever added an “A record” to DNS, this will be a piece of cake.
CAA records are low hanging, easy to implement mitigations to further harden your network.