DNSSEC adds a layer of trust on top of the DNS system by adding cryptographic signatures to existing DNS records. This ensures the record wasn't modified, protecting against DNS injection and man-in-the-middle (MITM) attacks.
Cloudflare have a detailed post on DNSSEC here: https://www.cloudflare.com/dns/dnssec/how-dnssec-works/
CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names. - Let's Encrypt Docs
dig CAA cyberhost.uk
;; ANSWER SECTION:
cyberhost.uk. 600 IN CAA 0 issue "letsencrypt.org"
cyberhost.uk. 600 IN CAA 0 issue "sectigo.com"
cyberhost.uk. 600 IN CAA 0 iodef "mailto:[email protected]"
The above records allow for only Let's Encrypt and Sectigo* to issue certificates for cyberhost.uk. If a Certificate Authority that is not listed, tries to create a certificate it will fail and an email should be sent to
Domain Transfer Lock
It's good practice to enable a Domain Transfer Lock this prevents domain hijacking where the domain is transferred to another register under the control of someone else.
This is typically a simple toggle in your domain registrar's control panel.
To prevent your domain from being hijacked ensure that all accounts that are used to manage that domain has some form of 2FA.
- Domain Registrar
- DNS Management
It's simple don't let your domain expire and be purchased by someone else!
Email Domain Security 101
Alex Blackie has a simple guide on email domain security: