A decision of CA/Browser Forum taken in March 2017 by vote to make CAA mandatory which be in action by September 2017. Here is our guide around CAA DNS Record and how to add CAA DNS Record. Previously we discussed about DNS-based Authentication of Named Entities – DANE and how to add DANE. CAA stands for Certification Authority Authorization.
What is CAA DNS Record?
In this case, DNS CAA will use the DNS to control the owner of a domain to specify which certificate authority will be allowed or whitelisted to issue certificates for that domain. This means, thecustomizewindows.com uses GeoTrust SSL (CA in this case), a fraud can not use some other CA to get a DV SSL as it is near impossible to get same domain’s DV SSL from the same CA. This is not exactly for cross-checking at the client end of TLS connections but a simple check for the CA to make their issuance procedure strict. If you notice the below diagram, CAA DNS Record only adding an extra manual (at least for now) method, it is not any rock solid technology :
At this moment, if no CAA record is present, any CA can issue a certificate for the domain. But if a CAA record is present, only listed are allowed to issue certificates for that hostname. CAA records can set policy for the entire domain or for specific fully qualified domain name. So technically, CAA records are inherited by subdomains, unless overridden. CAA records can control the issuance of wildcard certificates or root domain certificates.
---
This DNS CAA is specified by RFC 6844 :
1 | https://tools.ietf.org/html/rfc6844 |
Also, RFC 3597 defines Legacy Zone File. The CAA record is represented by 3 elements:
| flag | An unsigned integer between 0-255. |
| It is currently used to represent the critical flag, that has a specific meaning per RFC. | |
| tag | An ASCII string that represents the identifier of the property represented by the record. |
| value | The value associated with the tag. |
And 4 properties :
1 2 3 4 5 6 7 8 | Tag Meaning RFC ----------- -------------------------------------- --------- issue Authorization Entry by Domain [RFC6844] issuewild Authorization Entry by Wildcard Domain [RFC6844] iodef Report incident by IODEF report [RFC6844] auth Reserved [HB2011] path Reserved [HB2011] policy Reserved [HB2011] |
Advantages :
- CAA is a s way to express preference of CA.
- Forces domain owner to be responsible for certificate.
- Also enables CAs to report invalid certificate requests.
- Not tied to one CA.
- Easy to add.
- Working at DNS level not server level
Disadvantages :
- Compliant CA actually can could ignore CAA record
- Usage of DNSSEC can prevent some attacks, but the use of DNSSEC is not mandatory with CAA.
Who Supports CAA DNS Record?
Among the self hosted DNS softwares, CAA record is supported by BIND DNS server, NSD authoritative DNS server, Knot DNS server, PowerDNS.
The CAs currently supporting CAA record are Amazon, Certum, Comodo, DigiCert, Entrust, GlobalSign, GoDaddy, Izenpe, QuoVadis, Starfield GoDaddy, StartCom WoSign, Let’s Encrypt, Symantec/GeoTrust/Thawte, T-Telesec, Trustwave, WoSign.
How to Add CAA DNS Record?
Obviously it has many flaws including many of the DNS providers including Dyn has no support of the CAA DNS record feature at the time of publication. We guess, the reason to be Let’s Encrypt Libre software project which actually can be forked to give birth to many CA in future.
The standard zone file is of following syntax (thecustomizewindows.com is domain, geotrust is one CA, letsencrypt another CA and email is admin@thecustomizewindows.com and geotrust is allowed to issue wildcard ):
1 2 3 4 | thecustomizewindows.com. IN CAA 0 issue "geotrust.com" thecustomizewindows.com. IN CAA 0 issue "letsencrypt.org" thecustomizewindows.com. IN CAA 0 issuewild "letsencrypt.org" thecustomizewindows.com. IN CAA 0 iodef "admin@thecustomizewindows.com" |
There is also a legacy RFC 3597 syntax :
1 2 | example.com.INTYPE257\# 19 00056973737565636F6D6F646F63612E636F6D example.com.INTYPE257\# 12 0009697373756577696C643B |
Specially for the above, you need some free tools like :
1 | https://github.com/SSLMate/caa_helper |
How to Check CAA DNS Record?
Regarding tools for checking CAA records, newer versions of dig supports parsing the record data. It is possibly practical to use this kind of tool :
1 | https://github.com/weppos/dnscaa |
