In 2013, the CA/Browser Forum passed an intent to allow a DNS domain name (joeblow.com) holder to specify one or more Certification Authorities (CAs) authorization to issue certificates for their domain. No other CAs would be authorized to issue that domain’s certificate.
This is accomplished by the domain holder adding a “CAA” record to their DNS for their domain. This helps mitigate the problem that the public CA trust system is only as strong as its weakest CA.
Organized in 2005, the CA/Browser Forum is a voluntary group of certification authorities (CAs), vendors of Internet browser software, and suppliers of other applications that use X.509 v.3 digital certificates for SSL/TLS and code signing.
On August 21st, 2017, Amazon Web Services (AWS) announced that their DNS service “Route 53” now supports CAA records.
Chris Tierney 