Worth Reading: Why you should have a CAA DNS record

This Friday, all certificate authorities will have to honor a Domain Name System (DNS) record that allows HTTPS website owners to restrict who can issue SSL certificates for their domain names. It’s a long-needed defense against the issuance of fraudulent certificates, a security risk that domain owners had few protections for until now. The Problem: There are tens of certificate authorities (CAs) trusted in browsers and operating systems and any one of them can theoretically issue a valid SSL certificate for any website on the internet. Furthermore, many of these certificate authorities have subordinate CAs and resellers that are operated by separate organizations and which can also issue SSL certificates to end users. —Lucian Constantin @ The New Stack