CAA records

From ISPWiki
Jump to: navigation, search

Introduction

CAA (from Certification Authority Authorization) is a special DNS-record that is used to specify which certification authorities are allowed to issue SSL/TLS certificates. The CAA-record is defined in RFC 6844.

Starting from September 8, 2017 all Certification authorities must verify CAA records to make sure that requests for SSL/TLS-certificates are sent by domain owner.

The purpose of this decision is to prevent the issuance of rogue or unauthorized certificates in case a CA is compromised or domain is hacked, so that a fraudulent user can request for a valid certificate for compromised domain from any CA and use it for MITM attacks and redirect users to fishing sites.

About CAA records

When example.com requests an SSL-certificate from a CA, the CA checks CAA records of the domain. If no CAA records are found, the certificate will be issued.

If several CAA records are found, for example, DNS zone contains the CAA record with issue:

example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issue "startssl.com" 

A CA tries to find its name in there. If the name is found, the certificate will be issued, otherwise - rejected.

The CAA record for domain name or subdomain is applied to all its subdomains unless stated otherwise.

Beside issue, the CAA record contains the issuewild tag for wildcard certificates, and the iodef tag that specifies an URL for feedback.

Therefore, CAA gives DNS owners the ability to determine which Certification Authorities are authorized to issue certificates on behalf of that domain name.

Support of CAA records by DNS servers

ISPmanager Lite and DNSmanager allow to choose which DNS-server to set up: BIND or PowerDNS. ISPmanager Business uses only PowerDNS.

BIND introduced support of CAA records starting from version 9.9.6. PowerDNS supports CAA records from version 4.0.0 beta 1.

In older versions of BIND and PowerDNS CAA records can be added only as "unknown record" format (RFC 3597) "TYPE257".

You can use this online Helper from SSLmate to generate valid CAA records.

How add CAA records

Navigate to "Domains" --> "Domain names" --> select a domain --> click "Record". On the page that will open click "Add" --> Type --> CAA.

How to add CAA record

The CAA record consists of a flags byte and a tag-value pair referred. Multiple properties may be associated with the same domain name by publishing multiple CAA records at that domain name.


Flags

Flags byte can be either 0 or 128. 128 is a critical property for CAs. If the CA doesn't know it, it is now allowed to issue certificates.

0 is a non-critical property. If the CAA doesn't understand the property, it still can issue a certificate.

Tags

3 tags are defined for CAA record: issue, issuewild and iodef

  • issue — allows a domain owner specified in the record, to issue a certificate for the hostname.
  • issuewild — allows a domain owner specified in the record, to issue a wildcard certificate for the hostname.
  • iodef — allows to specify email or URL that can be used to report invalid certificate requests to the domain owner. iodef post messages use a standard format called the Incident Object Description Exchange Format or IODEF.

Value

  • In addition to issue and issuewild, CAs can define values separated by semicolons ;. For example, the ca.example.net CA asks its client to specify 230123 for his account. The CAA record will look like this ca.example.net; account=230123. Specifying only ; in the CA record will forbid all CAs to issue SSL-certificates .
  • The iodef defines Email or URL of a feedback page, and cannot use additional parameters.

Examples and notes

Using critical bit in flags

The critical flag in CAA records is intended to permit future versions CAA to introduce new semantics that must be understood for correct processing of the record, preventing conforming CAs that do not recognize the new semantics.

In the following example, the record with the tbs tag is flagged as critical:

 $ORIGIN example.com
.       CAA 0 issue "ca.example.net; policy=ev"
.       CAA 128 tbs "Unknown"

Neither ca.example.net, nor any other CA is authorized to issue under either policy unless the processing rules for the tbs property tag are understood.

Please note: the above restrictions only apply at certificate issue. Since a certificate is normally issued for a year or more, it is quite possible that the CAA records will change after the certificate was issued. Changes will not affect the already issued certificate, but can influence domain validation by third-parties.

Querying CAA record for a domain

You can query the CAA record for a domain with dig:

dig example.com caa

Resources

1. RFC 6844: DNS Certification Authority Authorization (CAA) Resource Record

2. RFC 3597: Handling of Unknown DNS Resource Record (RR) Types

3. RFC 5070: The Incident Object Description Exchange Format

4. [cabfpub] Ballot 187 - Make CAA Checking Mandatory

5. CAA Record Generator by SSLMate