What it is
CAA (Certificate Authority Authorization) is a DNS record type that lets you specify which certificate authorities (CAs) are allowed to issue certificates for your domain. If no CAA record exists, any CA can issue a cert; with CAA, only the CAs you list (or none) can issue.
Why it matters
CAA reduces the risk of a CA issuing a certificate for your domain without your approval. It is a defense-in-depth measure and is increasingly expected by security and compliance reviews. Monitoring CAA helps you confirm your DNS is configured as intended.
How Barrion checks it
Barrion performs DNS lookups for CAA records on your domain. We report what we find (or that no CAA is set) and whether the configuration is consistent with common best practices. Read-only DNS checks.
Configuration examples
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 iodef "mailto:security@example.com"Verify it
dig +short CAA example.com