// know-how

Restrict Certificate Authorities (CA) to issue SSL certs. Enable CAA record in DNS

It’s been a while since I audited someone’s DNS, but a recent client review turned up CAA records that were, frankly, set at random. Talking it through with their administrator, it became clear he had no idea what CAA was, how it worked, or why getting it right matters. That got me thinking: how many of us actually understand CAA - and how it can save you if someone tries to obtain an SSL certificate for your domain?

What CAA is#

CAA, or Certificate Authority Authorization, is a DNS record that declares which Certificate Authorities are allowed to issue certificates for a given domain. It’s published as a CAA-type record - publicly visible, and checked by a CA before it issues a certificate.

Background#

The first draft came from Phillip Hallam-Baker and Rob Stradling back in 2010, and the work accelerated over the following years as CA compromises piled up. The first notable CA subversion was in 2001, when VeriSign issued two certificates to someone claiming to represent Microsoft - both labelled “Microsoft Corporation” - which could have been used to spoof identity or push malicious updates. In 2011, fraudulent certificates were issued after Comodo1 and DigiNotar2 were breached by Iranian hackers, and were used in a real man-in-the-middle attack in Iran. In 2012, Trustwave admitted issuing a sub-root certificate3 used to sniff SSL traffic in the name of transparent traffic management. The lesson is clear: CAs need to be restricted - whitelisted - at the domain level.

Without a CAA record#

Put simply, a CAA record announces which CAs may issue certificates for your domain. If no CAA record exists, any CA can issue one.

CAA is good practice for restricting which CAs have the power to legally issue certificates for your domain - think of it as whitelisting them at the DNS level.

CA/Browser Forum rules now mandate4 that a Certificate Authority check your CAA record before issuing: a certificate can only be issued if there’s no record, or the CA is whitelisted. Rules set on a parent domain are inherited by subdomains unless overridden.

Certificate authorities interpret the absence of a CAA record as authorization for unrestricted issuance, and a single blank issue tag as disallowing all issuance.5

Record syntax#

A CAA record has the format <flag> <tag> <value>:

  • flag - an integer (1–255) defined in RFC 68446, currently used for the critical flag7.
  • tag - an ASCII string (issue, issuewild, iodef) identifying the property the record represents.
  • value - the value of the property named in the tag.

The tags mean:

  • issue - authorizes a single CA to issue any type of certificate for the domain.
  • issuewild - authorizes a single CA to issue only wildcard certificates for the domain.
  • iodef - where CAs report requests or issuance that violate your CAA policy (via mailto:, http://, or https://).

DNS support#

Per Wikipedia8, CAA records are supported by BIND (9.10.1B+), Knot DNS (2.2.0+), ldns (1.6.17+), NSD (4.0.1+), OpenDNSSEC, PowerDNS (4.0.0+), Simple DNS Plus (6.0+), tinydns, and Windows Server 2016. Many hosted DNS providers support them too - Amazon Route 53, Cloudflare, DNS Made Easy, and Google Cloud DNS.

My DNS setup#

For my own domain I set the policy to allow only letsencrypt.org, though Cloudflare’s Universal SSL adds a few more automatically:

  • 0 issue "comodoca.com"
  • 0 issue "digicert.com"
  • 0 issue "globalsign.com"
  • 0 issuewild "comodoca.com"
  • 0 issuewild "digicert.com"
  • 0 issuewild "globalsign.com"

I also configured iodef for violation reports: 0 iodef "mailto:hello@cybersins.com".

Adoption on the web#

After that audit I got curious about how the top 10,000 Alexa sites were doing with CAA - and the result was startling: only 4% of the top 10K had a CAA DNS record. (Update, 27 Feb 2018: these figures were corrected - thanks to Ich Bin Niche Sie for catching a calculation error.)

We still have a long way to go with newer controls like CAA records and security.txt, and I’ll keep covering these to champion security wherever I can - without getting in the way of the business. Always work hand in hand with the business.

Stay safe, and stay tuned.