Certificate Authorities are not the Problem.
To increase SSL/TLS encryption security on the internet, website administrators can set Certificate Authority Authorization (CAA) records. These DNS records determine which certificate authority (CA) is allowed to issue certificates for this domain. Since September 8th, CAs must check the existence of an ACC record and comply with its content.
There are still some problems, such as CAs that do not check the CAA records at all. However, this is not the biggest issue: Many domain providers have not yet updated their software to set CAA records. Therefore administrators cannot set the CAA records.
How can I set CAA records?
To increase your website’s security, go to your DNS provider’s configuration website and choose to create a new CAA record. For example, to only allow letsencrypt to issue certificates for your domain example.org, use the following record:
Name Type Value Value example.org. CAA 0 issue "letsencrypt.org"
Check out our knowledge base for more information.
Verify the record
To verify whether the CAA record is set correctly, you can use our free web application security scanner. It will show you the following message in case that the CAA record is not set: