• Link to LinkedIn Link to LinkedIn Link to LinkedIn
  • Link to Facebook Link to Facebook Link to Facebook
  • Link to Bluesky Link to BlueskyLink to Bluesky
  • Link to Mastodon Link to MastodonLink to Mastodon
  • Link to Mail Link to Mail Link to Mail
  • Link to Rss Link to Rss Link to Rss
  • CAA Records Become Mandatory in 2027 – Is Your DNS Ready?
Contact us: 01276 818576
Dogsbody Technology
  • Emergency support
  • Infrastructure Services
    • Infrastructure Design
    • Infrastructure Build
    • Server management and monitoring
    • In-life Support
    • Pen Testing & Audit
    • Hosting Services
      • Plesk Hosting
      • VPS & Dedicated Servers
      • Tor Hosting
  • Happy Customers
  • About Us
  • Careers
    • Write your own job
  • News & Views
  • Contact Us
  • Menu Menu

Tag Archive for: dns

Claire Christmas

CAA Records Become Mandatory in 2027 – Is Your DNS Ready?

14 Jul 2026/0 Comments/in Security/by Claire Christmas

In May 2026, the CA/Browser Forum voted to make Certificate Authority Authorization (CAA) checking mandatory for publicly trusted Certificate Authorities from 2027.

For many organisations this won’t require any action. However, for businesses using automated certificate management – particularly with Let’s Encrypt – it’s worth understanding what this change means before it catches anyone out.

A Quick Refresher: What is a CAA Record?

A CAA (Certificate Authority Authorization) DNS record tells Certificate Authorities (CAs) which organisations are permitted to issue TLS certificates for your domain.

For example:

example.com.    IN CAA 0 issue "letsencrypt.org"

This tells Certificate Authorities that only Let’s Encrypt is authorised to issue certificates for example.com.

If no CAA record exists, the current behaviour is effectively:

“Any publicly trusted CA may issue a certificate.”

That’s why many organisations have never needed to think about CAA records.

What’s Changing?

The CA/Browser Forum has voted to strengthen the use of CAA from 2027.

CAA checking already exists today, but the new requirements mean Certificate Authorities will be expected to rely on CAA records much more consistently as part of certificate issuance.

While this is a positive security improvement, it does introduce a few practical considerations.

Potential Issue #1: Not Every DNS Provider Supports CAA

Most modern DNS providers support CAA records, but not all do.

If your DNS platform cannot publish CAA records, you may find yourself limited as Certificate Authorities tighten their issuance processes over the coming years.

For organisations using older hosting providers or bundled DNS services, it’s worth checking support now rather than during an emergency certificate renewal.

Potential Issue #2: CAA Records Can Accidentally Break Other Certificates

This is the one that catches people out.

Suppose you add:

CAA 0 issue "letsencrypt.org"

to support your Let’s Encrypt certificates.

That doesn’t simply “enable” Let’s Encrypt.

It also says only Let’s Encrypt is allowed to issue certificates for your domain.

If another team later requests a certificate from DigiCert, Sectigo, GlobalSign, or another public CA, issuance will fail.

This often happens in organisations where:

  • Internal systems use Let’s Encrypt.
  • Microsoft 365 or other SaaS platforms obtain certificates through another CA.
  • External suppliers manage certificates independently.
  • Different departments purchase certificates from different providers.

Without coordination, a well-intentioned CAA record can become an unexpected roadblock.

Similar to SPF

CAA records have a lot in common with SPF records for email.

No SPF record generally means:

“No restrictions.”

Adding an SPF record suddenly defines who is allowed to send mail.

CAA works in much the same way.

No CAA record means:

“Any trusted Certificate Authority may issue a certificate.”

Once you add one, you’re explicitly defining who can.

What Should You Do?

There’s no need to panic, but this is a good opportunity to review your certificate management.

Ask yourself:

  • Which Certificate Authorities do we currently use?
  • Do all of our domains use the same CA?
  • Does our DNS provider support CAA records?
  • Are certificates requested by different teams or third-party suppliers?

Understanding the answers now will make any future transition considerably smoother.

Our Advice

For many small and medium-sized businesses, certificate management has become almost invisible thanks to automation.

That’s a good thing – until a small DNS change unexpectedly prevents a certificate from renewing.

Before adding CAA records, make sure you have a complete picture of every service that requests certificates for your domains. A single restrictive CAA record can have wider consequences than many people realise.

If you’re unsure how your domains are currently managed, now is a good time for a review. It’s much easier to make these changes on your own schedule than during an expired certificate incident.

For anyone wanting a refresher on CAA records, Let’s Encrypt has an excellent overview.

Need Help

Not sure how to navigate this change? Contact us

 

https://www.dogsbody.com/wp-content/uploads/PHP-8.2-December-2026_3-months.jpg 427 640 Claire Christmas https://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.png Claire Christmas2026-07-14 17:03:122026-07-14 17:03:12CAA Records Become Mandatory in 2027 – Is Your DNS Ready?
Rob Hooper

What’s a hosts file?

7 May 2019/0 Comments/in Knowledge Base/by Rob Hooper

In the early days of the internet the hosts file was created. It is a text file which stores the domain name you are going to (www.example.com) and the IP address where it is hosted (203.0.133.54).

It is just like an address book, it stores your friends phone numbers for when you want to contact them. Originally network admins had to store every domain they knew about in hosts file but this was quickly replaced when the internet became so big this was impossible. This information is now provided by a service called DNS (domain name service) but nearly every system still supports the hosts file.

It is very useful to know that the hosts file is checked before DNS and therefore can be used to overwrite DNS on your computer. This is immensely useful for testing, development work and moving things around on the internet. We regularly use hosts files to test websites on new servers without interrupting normal site visitors.

How to change your hosts file:

Windows 10 and 8

1. Press the Windows key

2. Type “Notepad” into search

3. Right click on the Notepad app and select “Run as administrator”

4. From Notepad, open the following file: “c:\Windows\System32\Drivers\etc\hosts”

5. Make your changes

6. Save the file

macOS (Mojave)

1. Open up the terminal (this is found in Applications/Utilities)

2. sudo nano /private/etc/hosts

3. Make your changes

4. Save the file (ctrl-x and then y)

You will need to clear the system cache before your changes are loaded in.

5. sudo killall -HUP mDNSResponder

Linux

1. Open a terminal

2. sudo vim /etc/hosts

3. Make your changes

4. Save the file

I am in my hosts file, now what?

Hosts files are written as so:

ip.ad.dr.ess      domain names

For example if you wanted all traffic to dogsbody.com (and www.) to instead go to 203.0.133.54:

203.0.133.54      www.dogsbody.com dogsbody.com

 

Finally remember to revert your changes when you have finished testing!

Migrating websites? updating DNS? kerfufled? contact us today

Feature image by Michal Jarmoluk licensed for Free.

https://www.dogsbody.com/wp-content/uploads/cyberspace-2784907_1920.jpg 1280 1920 Rob Hooper https://www.dogsbody.com/wp-content/uploads/Dogsbody-site-logo-1.png Rob Hooper2019-05-07 11:29:142019-05-07 11:50:03What’s a hosts file?

We are Dogsbody. We take the pain away from building, securing and maintaining IT infrastructure.

Find out how we can help your business

Everything we do is about security. Our team is our strength.

Get in touch

Latest thoughts and news

  • CAA Records Become Mandatory in 2027 – Is Your DNS Ready?
  • Our Trusted Suppliers after 15+ Years
  • Avoid Surprise AWS RDS Charges in 2026
  • A Season of Giving: Dogsbody Technology Charity Support 2025
  • Wrapping Up 2025: Our Christmas Hours
Search Search

Useful links

  • About Us
  • Dogsbody News & Views
  • Contact Us

Linux & cloud services

  • Infrastructure Design
  • Infrastructure Build
  • In life Support
  • Infrastructure Audit
  • Penetration Testing
  • Hosting Services

In life support

  • Overview
  • Helpdesk support
  • Server management and monitoring

Careers

  • Working at Dogsbody
  • Write your own job description
© Copyright 2010-2026 Dogsbody Technology Ltd - Registered in England and Wales 07236558
  • Link to LinkedIn Link to LinkedIn Link to LinkedIn
  • Link to Facebook Link to Facebook Link to Facebook
  • Link to Bluesky Link to BlueskyLink to Bluesky
  • Link to Mastodon Link to MastodonLink to Mastodon
  • Link to Mail Link to Mail Link to Mail
  • Link to Rss Link to Rss Link to Rss
  • Contact us
  • Terms of use
  • Privacy policy
Scroll to top Scroll to top Scroll to top