I really like the kind of security features that are easy to use. The CAA “DNS Certification Authority Authorization” is one of those. As a domain administrator you must only generate the appropriate CAA records and you’re done. (Unlike other security features such as HPKP that requires deep and careful planning or DANE which is not used widely.) Since the check of CAA records is mandatory for CAs since 8. September 2017, the usage of those records is quite useful because it adds another layer of security.
(This blogpost is part of a series about DNSSEC. Refer to this structured list for all articles.)
What is CAA? In short: “CAA allows domain owners to define in a DNS record which certificate authorities are allowed to issue certificates for them“, Bulletproof TLS Newsletter #32. Hence none of your service operators is able to generate/buy a certificate at a CA that is not authorized for that name. This is useful if your company has lots of different web servers, websites, security appliances, etc., that are using TLS certificates and are managed by different persons. With CAA you can control the usage of the CAs which are allowed to sign those certificates/CSRs.
Note that the “Use of DNSSEC to authenticate CAA RRs is strongly RECOMMENDED but not
required”, RFC 6844, section 4.1. From a security perspective you should definitely use DNSSEC to have an authentic query/answer from the CAs to your DNS server.
Generate CAA Records
I added the CAA records for my test domain weberdns.de. I used the CAA Record Helper to generate them. Currently I am only using Let’s Encrypt for my domains while no wildcard certificates. Hence my CAA records are the following:
weberdns.de. IN CAA 0 issue "letsencrypt.org"
weberdns.de. IN CAA 0 issuewild ";"
weberdns.de. IN CAA 0 iodef "mailto:email@example.com"
A test query with dig shows the records and the DNSSEC signature (“ad” flag at line 7 and RRSIG at line 18):
; <<>> DiG 9.10.3-P4-Ubuntu <<>> weberdns.de caa +dnssec +multi +noauthority +noadditional
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58976
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;weberdns.de. IN CAA
;; ANSWER SECTION:
weberdns.de. 2160 IN CAA 0 iodef "mailto:firstname.lastname@example.org"
weberdns.de. 2160 IN CAA 0 issuewild "\;"
weberdns.de. 2160 IN CAA 0 issue "letsencrypt.org"
20171029091812 20170929081812 32058 weberdns.de.
;; Query time: 2 msec
;; SERVER: 2003:de:2016:120::a08:53#53(2003:de:2016:120::a08:53)
;; WHEN: Wed Oct 04 12:05:37 CEST 2017
;; MSG SIZE rcvd: 1303
Via the online DNS CAA Tester you can verify your records via an external service. In my example this looks like this:
Furthermore, the well-known SSL Server Test by SSL Labs also investigates the CAA records such as shown here:
Note that I have not tested any possible certificate authority whether they correctly check the CAA records. Of course not. Way too many. ;) However, this has been done by other security researchers. Hopefully they will continue discovering unreliable CAs.