Low
ISO 27001 A.8.20
NIST CSF PR.PS
Harden your DNS: CAA, and no dangling records
A CAA record limits who can issue certificates for your domain, and stale records invite subdomain takeover.
Why it matters
Without CAA, any CA can be tricked into issuing a certificate for your domain. Dangling DNS records pointing at decommissioned services let attackers claim your subdomains.
How to fix it
Add a CAA record naming your certificate authority, and remove DNS records for services you no longer run.
; CAA — only Let's Encrypt may issue
@ CAA 0 issue "letsencrypt.org"
Is your domain affected?
Prove ownership and run a scan for a graded, verifiable report.
Related guides
- Set up SPF, DKIM and DMARC to stop email spoofing
- Add the HTTP security headers every site should send
- Fix TLS: valid certificate and modern protocols only
- Remove exposed .git, .env and backup files
Compliance references are indicative mapping, not legal advice. Automated scanning is evidence and monitoring, not a guarantee of compliance.