DNS Record Explainer

This is a CAA (Certification Authority Authorization) record, but it's incomplete as written. A valid CAA record needs three components:

• Flags (0-255): You have `0`, which is correct—means no critical extensions.
• Tag: You have `issue`, which tells CAs they can issue certificates for this domain.
• Value: You have `letsencrypt.org`, which names the authorized CA.

What this does: When a CA receives a certificate request for your domain, it checks your CAA records. If one exists with `issue` tag, only CAs listed there can issue certs. Here, only Let's Encrypt is authorized. CAs that aren't listed will refuse to issue, blocking unauthorized certs at the source.

The missing piece: This record alone doesn't specify the full issuance policy. You should also define what happens for wildcard certs (using the `issuewild` tag) and what to do with policy violations (using the `iodef` tag for reporting).

• **Incomplete policy**: You're only allowing Let's Encrypt for base domain certs, but wildcards (*.yourdomain.com) have separate rules. You should add an `issuewild` record; if omitted, wildcard issuance falls back to `issue` rules, which works here but is ambiguous.
• **No violation reporting**: You have no `iodef` tag pointing to a contact URL for CAs to report unauthorized requests. Optional but recommended for security monitoring.
• **Single CA risk**: Only Let's Encrypt can issue. If they have an outage or you need a second CA, you'll need to update DNS. This is actually fine for most setups—intentional restrictions are the point.

CAA records don't stop you from issuing certs; they stop unauthorized CAs from issuing in your name. Without CAA, any CA that receives a request can issue. With this record, only Let's Encrypt can. If you try to get a cert from Digicert or Sectigo, they'll reject it (correctly) because your CAA forbids them. This matters if you care about supply-chain attacks on your certs.