DNS Certification Authority Authorization

Since Let’s Encrypt and the ACME protocol it is much easier to obtain a certificate without any human intervention. This allows anyone with control over the endpoint to issue certificates (https://letsencrypt.org/how-it-works/).

DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name.

$ dig +short CAA newcubator.com
0 issue "amazon.com"

• https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
• https://tools.ietf.org/html/rfc8659
• https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html
• https://security.stackexchange.com/questions/180903/why-dont-browsers-check-caa-records-to-help-ensure-a-certificate-is-valid
• https://crt.sh/?q=%25.newcubator.com