A CAA allows specifying which Certificate Authorities are authorized to issue a certificate for my domain. For example
example.com. CAA 0 issue “symantec.com”
will only allow Symantec to issue certificates for example.com.
However as explained in Why don’t browsers check CAA records to help ensure a certificate is valid? this is not verified or enforced by browsers. There is no reason to set it to the CA that issued the current certificate.
With that in mind: would it not be more secure to set the CAA-record to an invalid CA like this:
example.com. CAA 0 issue “doesnotexist.com”
That way nobody can issue a certificate.
My certificate is still valid for several years from now and I will not need any CA to issue a certificate right now. When time comes I will temporarily change the CAA record to the specific CA to allow it.
Continue reading Is it more secure to set a DNS CAA record to a non-existing CA?→