This is the ninth installment In the of a ten-part series outlining the ten most common Domain Name System (DNS) Records. In this article I will examine CAA Records, or Certification Authority Authorization. Find links below to the previous articles below:
- In the eight article I examined SOA Records
- In the seventh article I examined PTR Records
- In the sixth article I examined SRV Records
- In the fifth article I examined TXT Records
- In the fourth article I examined MX Records
- In the third article I examined CNAME Records
- In the second article I discussed the AAAA Records
- In the first article I discussed the A Records
What is a CAA Record?
Certification Authority Authorization (CAA) records allow domain owners to indicate to certificate authorities they are authorized to issue digital certificates for a particular domain name. If no CAA record is present, any Certificate Authority is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname. CAA Records are goverened by RFC 6844. This RFC Authored by Phillip Halam-Baker and Rob Stradling, and further improved upon by the PKIX Working Group. CAA Records must be honored by CAs effective September 2017.
What is a Certificate Authority?
A certificate authority or certification authority is a trusted third party that issues cryptographic certificates.
Common uses of CAA Record
- establishing the secure browsing protocol https.
- to trust third parties in electronically signing documents.
- using self-signed certificates
- Encrypting or signing messages
Why Use a CAA?
CAs validate domains to make sure every Secured Sockets Layer (SSL) or Transport Layer Security (TLS) certificate request is authorized. SSL/TLS is a standard security technology that enabled encrypted communication between a web browser and a web server. SSL is used to encrypt payment and other private information. CA’s place a file on websites that proves the requester controls that site. However, a hacker could gain control of the website allowing them to use that site’s SSL/TLS certificate for mischief and criminal behavior. To be clear, a SSL certificate only confirms that the certificate owner owns the website, not that the website can be trusted by users.
The Problem CAA REcords solve
There are thousands of Certificate Authorities trusted in today’s computer applications, any one of these CAs can issue a valid SSL certificate for any website. Many CAs have subordinate CAs or resellers that can also issue certificates for most websites. In order for the internet to remain secure, CAs must first protect their own infrastructure against hackers while enforcing domain ownership checks before issuing certificates. Doing both of these things has proven impossible in the past.
The Solution provided by CAA Records
CAA blocks exploitation of websites by defining which CAs are allowed to issue certificates for a domain. If your website is hacked, having a CAA in place will reduce the likelihood that credit card numbers, usernames, passwords, email addresses and other personal identifying information will be compromised.
How CAA Records Work
Certificate Authorities perform a lookup for CAA resource records, and if any are found, confirm they are listed as an authorized party before issuing a digital certificate. CAs who are not authorized to issue certificates are not allowed to. If you want to see who has issued a certificate on your website, go to crt.sh and enter your domain name.
The Downside of CAA Records
There are two vulnerabilities:
- Certificate Authorities without strong controls could still issue your website a certificate, which could then be compromised and used nefariously.
- If a login to your DNS provider is compromised, then hackers then control the CAA Records. Use strong passwords and multi-factor authentication to prevent this. You can read more about how to prevent your domains from being compromised here.
How to Add CAA Record
To add a CAA Record, log into the DNS provider of your website and select the equivalent to Manage DNS and select Add Record. Below is an image for adding an CAA record on a domain I own through GoDaddy. Beneath the image, I have defined each term, and also given the limitations and requirements of each field.
- type: the type of DNS Record you want to add – select CAA.
- name: depending on your provider, you can fill this field with either
@, to signify the current domain you’re editing, or thedomain nameyou want the record to point to. If you DNS provider is GoDaddy, the value should be@. - flags: this field was added for future extensibility of the record. Most users should add a
0to this field. - tag: choose the property that best fits your need
- issue: this tag authorizes the holder of the domain specified, to issue certificates for the domain you’re adding the record to. This entry would look like
issue Example. - issuewild: like the
issuetag, this tag authorizes the holder of the specified domain to issue only wildcard certificates for the domain you’re adding the record to. The entry would look like `issue Example. - iodef: this tag, Incident Object Description Exchange Format, specifies the method the certificate authorities would report invalid certificate requests to the domain name holder. Currently, not all CAs support this tag. IODEF is a format used for data, details can be found in RFC 5070, 6685 and 7970.
- issue: this tag authorizes the holder of the domain specified, to issue certificates for the domain you’re adding the record to. This entry would look like
- value: the value associated with the chosen tag.
- TTL: standard DNS time to live field. I discussed Time To Live in detail in part 1 of this series examining the Address Record.
Once you fill out the form, select Save and your CAA has been added. An example SAA Record in text may look something like this:
jasonofflorida.com. IN CAA 0 issue "symantec.com"
If you received some added value from my post, please like and follow us on Facebook, Twitter, and LinkedIn, or subscribe to jasonofflorida.com. Next in the DNS Records Series I will discuss the ALIAS Record.
