CAA Record

Expanded Definition

A CAA record is a DNS control that limits which certificate authorities may issue TLS certificates for a domain. It matters because it adds issuer-level governance to certificate lifecycle decisions, complementing domain validation and reducing the chance of unintended issuance. In practice, CAA is used alongside DNS, PKI, and certificate automation workflows, not as a replacement for them. The operational question is not only whether a certificate request can be validated, but whether the requested issuer is authorised to sign for that domain. For broader governance context, NHI Management Group’s Ultimate Guide to NHIs explains why certificate and secret governance must be treated as part of NHI control, especially where machine identities are exposed across automation chains. The control aligns closely with the intent of NIST Cybersecurity Framework 2.0, which emphasises asset governance, access control, and secure configuration. Definitions vary across vendors only in how much operational weight they place on CAA versus CA-side policy, but the DNS record itself is standardised. The most common misapplication is assuming CAA alone prevents certificate misuse, which occurs when organisations do not also monitor DNS changes, renewal automation, and unauthorized subdomain issuance.

Examples and Use Cases

Implementing CAA rigorously often introduces DNS management overhead, requiring organisations to weigh tighter certificate governance against the risk of breaking legitimate issuance workflows.

• A security team restricts a production domain so only a single approved CA can issue public certificates, reducing issuer sprawl.
• An organisation updates CAA before migrating to a new certificate automation platform, preventing issuance failures during cutover.
• A compliance team reviews CAA records for high-value domains as part of NHI and PKI governance, using the Ultimate Guide to NHIs as a lifecycle reference.
• A platform engineering team aligns DNS policy with NIST Cybersecurity Framework 2.0 so certificate issuance is traceable to approved change management.
• An incident response team checks CAA records after discovering an unexpected certificate request, to determine whether the wrong issuer was permitted.

Why It Matters in NHI Security

CAA matters in NHI security because certificates are machine credentials, and weak issuance controls can expand the attack surface even when passwords and interactive logins are well governed. When CAA is missing, misconfigured, or stale, an attacker or misrouted automation path may obtain a certificate from an issuer that should never have been trusted for that domain. That can undermine TLS trust, enable impersonation, and complicate revocation efforts across environments that rely on automated certificate issuance. The NHI risk is not theoretical: NHI Management Group reports that Ultimate Guide to NHIs cites that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is why certificate governance belongs in the same operational conversation as secrets and service accounts. CAA also supports the governance intent reflected in NIST Cybersecurity Framework 2.0, especially where secure configuration and access control intersect. Organisations typically encounter the importance of CAA only after a certificate is unexpectedly issued or renewal fails in production, at which point the record becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• Why does a single authoritative identity record matter for IAM?
• How should health systems govern shared care record access across multiple sites?
• Why do patient record privacy failures create both security and compliance risk?
• GitHub System of Record