A DNS record that tells the world which Certificate Authorities (CAs) are allowed to issue TLS certificates for your domain. CAA = Certification Authority Authorization.
Here's why it matters: if you don't set one, any CA can issue a cert in your name. That's a problem. A rogue CA, a compromised CA, or a CA with lax vetting can mint certificates for your infrastructure and intercept traffic. CAA records are your gatekeepers.
Example CAA record: ``` example.com. IN CAA 0 issue "letsencrypt.org" ```
This says: only Let's Encrypt can issue certs for example.com. Most registries now support CAA; ICANN mandates CA compliance with CAA preferences since 2017, though enforcement is uneven.
Bunkerdomains domains support full CAA control via zone file or your registrar's DNS editor. If you're running a privacy-heavy or sensitive operation, set CAA early. Don't wait until you're compromised.