CAA makes it mandatory to verify SSL issued
It is now mandatory for the Certifying Authorities to verify the CAA record before issuing the SSL Certificate.
By: Microworld Technologies Inc
What is CAA?
CAA is an Industry Standard, which allows the Domain Owners to specify which Certifying Authorities (CA) is allowed to issue certificates for their domains. The intention of this is to allow the CAs to avoid mis-issuing of certificates and is an added checking/verification process in their Certificate Issuing Procedures.
Before any certificate is issued, the CA would verify the CAA record to check for its own existence in it and would block any request in case they are not listed.
How to use CAA?
The Domain owner has to publish CAA records the Domain's DNS specifying the
1. List of CAs authorized to issue SSL certificates for that domain.
2. Policies for the entire domain or for specific hosts
3. Single-Name Certificates, Wildcard Certificates or both can also be mentioned.
Why use CAA?
There have been numerous instances in the past wherein, Certifying Authorities were hacked and fraudulent certificates were issued. Furthermore, in our previous blog-posts too we had raised concerns about the lack of verification and decentralized structure of the CAs which allowed any CA to blatantly issue SSL Certificates on behalf of any domain. Due to this issue, it was of utmost importance to provide a control and verification method of the domain owners to provide and share information with the CAs so that CAs themselves are aware whether or not they are allowed to issue the certificate or not.
It is now the prerogative of the Domain Owners to provide CAA information in case they are using Certificate and it would be the responsibility of the CAs to validate each and every request.
List of DNS Servers Implementing CAA
Although, Certification Authority Authorization(
BIND Yes Prior to version 9.9.6 use RFC 3597 syntax (https://tools.ietf.org/
Knot DNS ≥2.2.0
NSD Yes Prior to version 4.0.1 use RFC 3597 syntax (https://tools.ietf.org/
OpenDNSSEC Yes With ldns ≥1.6.17
PowerDNS ≥4.0.0 Versions 4.0.3 and below are buggy when DNSSEC is enabled (https://github.com/
Simple DNS Plus ≥6.0
tinydns Yes Use generic record syntax
Windows Server 2016 Yes Use RFC 3597 syntax (https://tools.ietf.org/
Domain Owners may check with their respective Domain Registration Service Providers whether they provide the addition of CAA records in their DNS Configuration Panel.
In order to create CAA Record, domain owners may visit https://sslmate.com/
How to Verify CAA?
The two of the most popular tools used for looking up DNS records are "dig" and "nslookup", and both these tools use the "type257" as the query parameter for the CAA.
$ dig google.com type257
;; ANSWER SECTION:
google.com. 86399 IN TYPE257 \# 19 0005697373756573796D616E7465632E636F6D
google.com. 86399 IN TYPE257 \# 15 00056973737565706B692E676F6F67
> set q=type257
google.com rdata_257 = \# 19 0005697373756573796D616E7465632E636F6D
google.com rdata_257 = \# 15 00056973737565706B692E676F6F67
However, these tools are yet to implement CAA record lookup, hence with these tools, you may summarize that there exists a CAA record.
One may visit our domain tools section (https://escanav.com/
;; ANSWER SECTION:
google.com. 86399 IN CAA 0 issue "pki.goog"
A complicated CAA Record by hboeck.de
;; ANSWER SECTION:
hboeck.de. 3599 IN CAA 0 issue "letsencrypt.org"
hboeck.de. 3599 IN CAA 0 issuewild ";"
hboeck.de. 3599 IN CAA 0 iodef "https://int21.de/
hboeck.de. 3599 IN CAA 0 iodef "mailto:hanno@
Threat Attack Scenarios
With the implementation of CAA, the footprint of the attack surface reduces and shifts towards the addition of CAA records by the Domain Owners
• Non-Compliance of adding CAA Records in the DNS by Domain Owners
• Compromised DNS Panel of the Domain Owner
eScan is an ISO (27001) certified pure-play enterprise security solution company with over 2 decades of expertise in developing IT security solutions. eScan today has a presence in 12 countries through its offices and subsidiaries. It also boasts of a robust channel partner network of more than 50, 000 partners spread across 190 countries worldwide. It is trusted by more than 6,500 enterprise and corporate users spread across various industry segments such as Government, BFSI, Education, Defense, Telecom, IT & ITeS, Infrastructure, Hospitality, and Healthcare worldwide.
It is powered by some of the latest and innovative technologies, such as Proactive Behavioral Analysis Engine (PBAE) Technology, MicroWorld Winsock Layer (MWL) Technology, Domain & IP Reputation Check (DIRC) Technology, Non-Intrusive Learning Pattern (NILP) Technology, and sophisticated Anti-Virus Heuristic Algorithms that not only provide protection from current threats, but also provides proactive protection against the ever-evolving cyber threats. eScan provides 24x7 free remote support facility to help its esteemed users to provide real-time solutions for security related issues
For more information, visit www.escanav.com
39555 Orchard Hill Place, Suite 600
Novi, MI 48375