All guides
Low ISO 27001 A.8.20 NIST CSF PR.PS

Harden your DNS: CAA, and no dangling records

A CAA record limits who can issue certificates for your domain, and stale records invite subdomain takeover.

Why it matters

Without CAA, any CA can be tricked into issuing a certificate for your domain. Dangling DNS records pointing at decommissioned services let attackers claim your subdomains.

How to fix it

Add a CAA record naming your certificate authority, and remove DNS records for services you no longer run.

; CAA — only Let's Encrypt may issue
@   CAA  0 issue "letsencrypt.org"

Is your domain affected?

Prove ownership and run a scan for a graded, verifiable report.

Related guides

Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.