DNS Record Explainer

This is a CAA (Certification Authority Authorization) record. It's missing the domain name, so here's what it should be:

```
example.com. 3600 IN CAA 0 issue "letsencrypt.org"
```

The components:
• 0 = flags field. 0 means no special behavior. (128 would set the critical bit, but that's rare.)
• issue = tag. Tells CAs they can issue certificates for this domain if they match the value.
• "letsencrypt.org" = the CA's authorization domain. Let's Encrypt will check if they're authorized.

In practice: when someone requests a certificate for your domain, the CA looks up your CAA record. If it says `issue "letsencrypt.org"`, only Let's Encrypt (and services using their ACME endpoints) can issue certs. Other CAs get rejected.

• Record is incomplete—missing the domain name and TTL. Add the FQDN as the first element and a TTL (typically 3600).
• This single `issue` tag is restrictive but good. However, you may need to add:
– `issuewild` if you want different rules for wildcard certs (e.g., `0 issuewild ";"` to block them).
– `iodef` if you want violation reports sent to a URL (e.g., `0 iodef "mailto:[email protected]"`).
• Flags value 0 is correct for most setups. Don't use 128 unless you're testing or have a specific reason.
• Let's Encrypt's correct authorization domain is `letsencrypt.org`—this is correct.

CAA records are enforced by all major CAs as of 2017 (RFC 6844 compliance is mandatory). Without a CAA record, any CA can issue certificates for your domain—creating a window for domain hijacking or certificate misuse by a rogue CA. With this record, you're locking issuance to Let's Encrypt only, which is a strong defensive posture if that's your sole CA. If you use other CAs (Sectigo, DigiCert, etc.), add them too: `0 issue "sectigo.com"`.