DNS Record Explainer

This is a CAA (Certification Authority Authorization) record with three components:

• Flags: 0 — standard processing. No special instructions (wildcard issuance or critical extensions).
• Tag: issue — permits the named CA to issue certificates for this domain.
• Value: letsencrypt.org — only Let's Encrypt can issue certificates here.

In practice: a client requesting a certificate from any other CA (DigiCert, Sectigo, etc.) gets rejected before issuance. Let's Encrypt checks this record during validation and proceeds.

• Incomplete setup — you have *only* an "issue" record. You're missing the "issuewild" tag. If you don't explicitly allow wildcard issuance, standard practice is to add `0 issuewild ";"` (semicolon = deny all CAs from issuing wildcards). Otherwise, the issuance rules for `*.example.com` fall back to the "issue" tag, which may not match your intent.

• No iodef contact — no `0 iodef "mailto:security@…"` or `0 iodef "https://…"` to notify you of unauthorized issuance attempts. Recommended for monitoring.

• Assumes zone apex — this record must be at the domain root (e.g., example.com, not sub.example.com). Subdomains inherit parent CAA rules unless overridden.

CAA records are checked by CAs during certificate validation. Without one, any CA can issue a certificate for your domain. With this record, you're explicitly restricting issuance to Let's Encrypt only. If you lose control of your ACME account or Let's Encrypt's validation breaks, you can't get certs from another CA without updating this record (24–48 hour DNS TTL wait). Useful for preventing certificate issuance accidents or supply-chain attacks, but not a substitute for account security.