97.7% of Hutchinson Area Domains Are Missing This Simple DNS Security Control

Nearly 98% of the domains tested in the Hutchinson area are missing CAA DNS records. Here is why that matters.

Why CAA DNS Records Matter

Recently, I tested domains associated with businesses and organizations in the Hutchinson area. One statistic stood out:

97.7% of the domains tested did not have a CAA DNS record configured.

That does not mean those websites are insecure. It does suggest that many organizations are missing a simple, free security control that helps protect one of the most important trust systems on the Internet: SSL/TLS certificates.

What Is a CAA Record?

CAA stands for Certification Authority Authorization.

A CAA record tells certificate authorities which organizations are allowed to issue SSL/TLS certificates for your domain.

Without a CAA record, any trusted public certificate authority can issue a certificate for your domain if they successfully complete the required validation checks.

With a CAA record, you can explicitly define which certificate authorities are permitted to issue certificates for your domain.

For example, this authorizes Let’s Encrypt:

example.com. IN CAA 0 issue "letsencrypt.org"

Why Does This Matter?

SSL certificates are the foundation of HTTPS. They help ensure visitors are communicating with the legitimate website and not an impostor.

Certificate authorities generally do a good job validating certificate requests, but no process is perfect. Misissued certificates have happened before.

A CAA record adds another layer of control. It tells certificate authorities, “Only these approved providers may issue certificates for this domain.”

That matters because certificates are trust objects. If a certificate is issued incorrectly, it can create opportunities for impersonation, phishing, or interception in certain attack scenarios.

A Simple Example

Imagine your company uses Let’s Encrypt for all website certificates.

Without a CAA record:

  • Any trusted certificate authority could potentially issue a certificate after completing validation.
  • You have less control over the certificate issuance process.
  • You rely entirely on external validation controls.

With a CAA record:

  • Only Let’s Encrypt is authorized to issue certificates.
  • Other certificate authorities must reject issuance requests.
  • Unauthorized issuance attempts can be reported to you.

This reduces risk and improves visibility into certificate activity.

Why So Few Organizations Use CAA Records

Most organizations are familiar with DNS records such as:

  • A
  • AAAA
  • MX
  • SPF
  • DKIM
  • DMARC

CAA records rarely receive the same attention.

Unlike SPF, DKIM, and DMARC, CAA records do not usually solve a visible day-to-day business problem. Websites continue to work normally without them, so they are easy to overlook.

Many hosting providers and website platforms also do not create them automatically.

As a result, they are often missing from otherwise well-managed DNS environments.

Are CAA Records Required?

No.

Your website will work without one.

However, cybersecurity is about layers. Not every control needs to be expensive, complicated, or disruptive.

CAA records are:

  • Free
  • Easy to deploy
  • Widely supported
  • Low maintenance
  • Helpful for reducing certificate issuance risk

For most organizations, adding one takes only a few minutes.

Common CAA Configurations

Allow Let’s Encrypt:

example.com. IN CAA 0 issue "letsencrypt.org"

Allow DigiCert:

example.com. IN CAA 0 issue "digicert.com"

Allow multiple certificate authorities:

example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issue "digicert.com"

Receive notifications about certificate issuance events:

example.com. IN CAA 0 iodef "mailto:[email protected]"

How to Check Your Domain

You can check whether a domain has a CAA record configured with:

dig example.com CAA

Or:

nslookup -type=CAA example.com

If no records are returned, your domain likely does not have a CAA policy configured.

The Bigger Picture

When nearly 98% of local domains are missing a security control, it is usually not because organizations have consciously decided against it.

More often, it simply means the control is not widely known.

That is exactly where CAA records sit today.

They are not flashy. They will not stop every attack. They are not a substitute for proper certificate management.

But they are another layer of defense that helps ensure only approved certificate authorities can issue certificates for your domain.

For a control that is free, easy to implement, and requires very little ongoing maintenance, that is a worthwhile improvement.

Need Help Reviewing Your DNS Security?

Minnesota Risk & Cybersecurity Advisory helps organizations assess DNS security, email security, certificate management, and overall cybersecurity risk.

Whether you are looking at SPF, DKIM, DMARC, CAA, DNSSEC, or broader cybersecurity concerns, we can help you understand your options and reduce risk.

Feel free to reach out if you would like help reviewing your DNS security posture.

Posts