thatsheepdomain.com CAA 0 "evilexpensiveauthority.com"
A good-looking https://tools.ietf.org/html/rfc6844 came out five years ago: DNS CAA.
That looks cool, and even ssllabs has a warning shown when it's not there.
I thought it was awesome and lobbied around to support this !
Except that today i'm here to warn you about that thing.
CAA record is meant for organisations to make sure everyone within is using the same SSL certificate authority for the websites under a given root domain name.
All contractors providing
xxx.thatsheepdomain.com need to get certificates from "evilexpensiveauthority.com".
This often is enforced as a company policy, to make sure there's only one provider of certificates - and only one way to deal with those scary certificates - after all, failing to update them can break a service.
That kind of internal company policy has always been around, sometimes for very good reasons, and now it can be enforced by an official standard. There are tractations to make browsers use it. Mozilla accepted it, let's encrypt honors it.
Looks good ?
But hell is in the details.
For some years Let's encrypt + open-source acme protocol + open-source certbot client (or any other acme-compatible client) has been delivering hundreds of millions of free SSL certificates, prompting "Legacy" companies (the ones asking for money, and whose employees wrote the RFC about CAA, just check the link) to push their customers to use CAA records, as a reaction to the unbearable open and free movement.
I suppose the non-free companies use the "be scared of security issues" tactic.
Please quickly enforce a company policy or face hell.
A company adopting such a policy will make sure there is no disparate SSL authorities contractors.
CAA records only have a meaning in a world without free SSL providers.