With the approval of ballot 187 the Certificate Authorities must check and respect the CAA records that are found in the DNS of a domain. This additional check is active since September 17, 2017. CAA stands for Certification Authority Authorization and is a standard designed to help the owners of a domain by preventing the issuance of rogue or unauthorized SSL/TLS certificates for that domain.
Why should you use CAA records
All Certificate Authorities can issue domain validated certificates. Domain validation is the first line of validation and also the lowest form of validation. CA’s have several options to perform domain validation. The most common methods are e-mail, file or DNS approval. If a bad person has access to one of these methods, this person can request a certificate from a CA and approve the CA’s validation request. By limiting the number of CAs that are authorized to issue certificates for your domain, you also limit the chance that a certificate will be issued incorrectly.
How does this work?
CAA checks must be performed from the bottom Fully Qualified Domain Name (FQDN) to the top-level domain. The first CAA record that is found is valid for the FQDN in question.
These are the steps to follow:
Step 1: Check the FQDN
- If there’s a CAA record, and it’s good: PASS
- If there’s a CAA record, and it’s bad: FAIL
- If there’s no CAA record: go to Step 2
- If there’s an error, but NO DNSSEC: go to Step 2
- If error & has DNSSEC: FAIL
Step 2: Check parent FQDN (back to step 1)
And this must be done for all DNS/SAN names in a certificate.
So, if you need a certificate for: wifi.office.hq.company.tld. the CA should check the following names:
The first CAA records that will be found on a hostname or a parent is valid for the FQDN. There also can be more CAA records set on one hostname if you want to authorize multiple CA’s to issue certificates.
You can check your CAA records here: https://research.binaryfigments.com/caa
How to set CAA records
If you want to use CAA records for your domain, you need access to the DNS settings for that domain. And, of course, a name server that supports CAA records. Most of the time you will need to do that at you domain registrar.
A CAA record has a flag, tag and value and there can be more CAA record on one FQDN.
Flag: A flag tells a CA if it must comply completely on information in the record. It can be
0 for non-critical or
1 for critical.
Tag: The tag tells the CA kind of CAA record it is. There are 3 tags:
iodef. When the issue flag is set, the CA in that record may issue certificates for that domain. If the CA is in a record with the issuewild check it may only issue wildcard certificates. The iodef flag is for reporting. Here you can add an email adres of URL where the CA can send it’s CAA reports.
Value: The value is for the content of the record. For the issue and issuewild tags, the value can be the URL of the CA. And the value for the iodef tag can be a reporting URL or e-mail address. It is also possible that you want to restrict the issuing for certificates of wildcard certificates. Than you can place a
; (semicolon) as value in the record.
If there is a need for an extra policy, for example, of you only allow a CA to issue EV records. You can set a value as:
"digicert.com; policy=ev". And Digicert should only issue EV certificates.
There is a CAA record generator from SSL Mate that can help you setting up your CAA record.
The iodef messages sent in the Incident Object Description Exchange Format. Here is also an RFC for available: https://tools.ietf.org/html/rfc6546.
- Ballot 187: https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/
- RFC 6844: https://tools.ietf.org/html/rfc6844
- Check CAA records: https://research.binaryfigments.com/caa
- CAA record generator: https://sslmate.com/caa/