Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The CAA-Record for increased encryption security

453 views

Published on

The CAA Record (Certification Authority Authorization) is used to signal which certification authority (CA) can issue an x509 certificate for a given domain. CAA creates a DNS mechanism that enables domain name owners to whitelist CAs that are allowed to issue certificates for their hostnames.

Starting from September 2017, certificate issuing CA must support the CAA record.

This explains the CAA record, how it works, how to enter CAA into a zone and how certification authorities are about to use the record.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The CAA-Record for increased encryption security

  1. 1. © Men & Mice http://menandmice.com DNS Certification Authority Authorization (CAA) 
 Resource Record what will change in September? 1
  2. 2. © Men & Mice http://menandmice.com Agenda 1. Brief overview on the CAA record 2. How CAA is used 3. CAA mandatory from September 2017 4. Detail look on CAA 1. ISSUE and ISSUEWILD 2. IODEF - Reporting misuse 3. The flags 4. Custom CAA values 5. Hierarchical CAA 5. Deploying CAA 2
  3. 3. © Men & Mice http://menandmice.com a brief overview of the CAA record 3
  4. 4. © Men & Mice http://menandmice.com CAA record • the CAA (Certification Authority Authorization) record whitelists one or more certification authorities (CA) to issue x509 certificates (SSL/TLS, HTTPS etc) for a specific domain • starting from September 2017, CAs with a root certificate in one of the major web-browsers must check for the CAA record and must follow the content of CAA when issuing new certificates • the CAA record is defined in
 RFC 6844 - https://datatracker.ietf.org/doc/rfc6844/ 4
  5. 5. © Men & Mice http://menandmice.com certificate request w/o CAA 5 Client generates a keypair certificate signing request send to CA Client CA A Web- Server example.com DNS- Server
  6. 6. © Men & Mice http://menandmice.com certificate request w/o CAA 6 CA-signed public key (aka certificate) Client Web- Server example.com DNS- Server CA A
  7. 7. © Men & Mice http://menandmice.com certificate request w/o CAA 7 x509 certificate deployed on web-server Client Web- Server example.com DNS- Server CA A
  8. 8. © Men & Mice http://menandmice.com certificate mis-issue 8
  9. 9. © Men & Mice http://menandmice.com certificate request w/o CAA 9 certificate signing request send to CA Client DNS- Server malicious actorWeb- Server example.com Client generates a keypair for example.com CA B
  10. 10. © Men & Mice http://menandmice.com certificate request w/o CAA 10 Client DNS- Server malicious actorWeb- Server example.com CA-signed public key (aka certificate) CA B
  11. 11. © Men & Mice http://menandmice.com certificate request with CAA 11
  12. 12. © Men & Mice http://menandmice.com certificate request with CAA 12 Client generates a keypair certificate signing request send to CA Client CA A Web- Server example.com DNS- Server
  13. 13. © Men & Mice http://menandmice.com certificate request with CAA 13 fetch CAA record Client CA A Web- Server example.com DNS- Server
  14. 14. © Men & Mice http://menandmice.com certificate request with CAA 14 fetch CAA record Client CA A Web- Server example.com DNS- Server check CAA record content
  15. 15. © Men & Mice http://menandmice.com certificate request with CAA 15 CA-signed public key (aka certificate) Client CA A Web- Server example.com DNS- Server
  16. 16. © Men & Mice http://menandmice.com certificate request with CAA 16 x509 certificate deployed on web-server Client CA A Web- Server example.com DNS- Server
  17. 17. © Men & Mice http://menandmice.com certificate mis-issue 
 (prevented by CAA) 17
  18. 18. © Men & Mice http://menandmice.com certificate request with CAA 18 certificate signing request send to CA Client CA B DNS- Server malicious actorWeb- Server example.com Client generates a keypair for example.com
  19. 19. © Men & Mice http://menandmice.com certificate request with CAA 19 Client CA B DNS- Server malicious actorWeb- Server example.com fetch CAA record
  20. 20. © Men & Mice http://menandmice.com certificate request with CAA 20 Client CA B DNS- Server malicious actorWeb- Server example.com fetch CAA record check CAA record content
  21. 21. © Men & Mice http://menandmice.com certificate request with CAA 21 Client CA B DNS- Server malicious actorWeb- Server example.com
  22. 22. © Men & Mice http://menandmice.com what is changing in September? 22
  23. 23. © Men & Mice http://menandmice.com CAB-Forum •the CA/Browser (CAB) forum set the rules for publishing the root-certificates of CAs in Web- browser
 https://cabforum.org •CAs and browser vendors are members of the CAB forum •the CAB-Forum has decided that checking the CAA-record is mandatory for member CAs starting in September 2017 23 https://cabforum.org/pipermail/public/2017-March/009917.html
  24. 24. © Men & Mice http://menandmice.com CAB-Forum •the CAB-Forum does NOT(!) mandate that CA customers requesting a certificate from a CA must have a CAA-record •however some CAs mandate CAA as part of their own policy •customers can still request certificates from a CA without having a CAA record •but not having CAA is less secure 24
  25. 25. © Men & Mice http://menandmice.com a detail look at CAA 25
  26. 26. © Men & Mice http://menandmice.com CAA-Record •the CAA "issue" property 26 example.org. CAA 128 issue "letsencrypt.org" Domain for the certificate CAA record type
  27. 27. © Men & Mice http://menandmice.com CAA-Record •the CAA "issue" property 27 example.org. CAA 128 issue "letsencrypt.org" Flags Flags: 0 = property not critical, if the CA cannot understand the property, the CAA record-set can still be used 128 = property is critical, if the CA does not understand the property, the CA is not allowed to use the CAA information
  28. 28. © Men & Mice http://menandmice.com CAA-Record •the CAA "issue" property 28 example.org. CAA 128 issue "letsencrypt.org" property property: currently defined by RFC 6844 issue: listed CA is permitted to issue a normal (non wildcard) certificate for the domain issuewild: listed CA is permitted to issue a wildcard certificate for the domain iodef: address to report CAA policy violations back to the customer
  29. 29. © Men & Mice http://menandmice.com CAA-Record •the CAA "issue" property 29 example.org. CAA 128 issue "letsencrypt.org" value Value for issue and issuewild: base domain name of the CA permitted to issue certificate for this domain
  30. 30. © Men & Mice http://menandmice.com CAA-Record •the CAA "issuewild" property 30 example.org. CAA 128 issuewild "letsencrypt.org" issuewild property issuewild: domain name of the CA permitted to issue a wildcard certificate for this domain (*.example.com)
  31. 31. © Men & Mice http://menandmice.com CAA-Record •the CAA "issue" property 31 example.org. CAA 128 issue ";" value a single semicolon ";" prevents any CA from issuing certificates for this domain
  32. 32. © Men & Mice http://menandmice.com CAA-Record •the CAA "iodef" property 32 example.org. CAA 128 issue "letsencrypt.org" example.org. CAA 128 iodef "mailto:security@example.com" example.org. CAA 128 iodef "https://iodef-report.example.com" mail address for reports the property IODEF defines a report channel that a CA can use to report malicious CA request Report format is defined in RFC 6546 "Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS" web URL for reporting misuse https://tools.ietf.org/rfc/rfc6546.txt https://en.wikipedia.org/wiki/Incident_Object_Description_Exchange_Format#Example
  33. 33. © Men & Mice http://menandmice.com CAA-Record •CA private properties 33 example.org. CAA 128 issue "ca.domain.tld; maxvalidity=360" standard value in addition to the values defined in RFC 6844, CAs can define private property values. Different property values are separated by semicolon ";" extra property value
  34. 34. © Men & Mice http://menandmice.com CAA-Record •semicolon in CAA-record 34 example.org. CAA 128 issue "ca.domain.tld; maxvalidity=360" some BIND 9 tools will escape semicolon ";" with a backslash "" 
 (for example dnssec-signzone) escaped semicolon https://www.mail-archive.com/bind-users@lists.isc.org/msg24423.html
  35. 35. © Men & Mice http://menandmice.com CAA-Record •hierarchical CAA 35 example.org. CAA 128 issue "ca-a.domain.tld" us.example.org. CAA 128 issue "ca-b.domain.tld" ny.us.example.org. CAA 128 issue "ca-x.domain.tld" a CA must follow the DNS delegation chain upwards until it finds a matching CAA record (stops at top level domain) this allows different CAs for branches in the DNS tree ny.us.example.com us.example.com example.com com "." asia.example.com cert from ca-b cert from ca-acert from ca-x
  36. 36. © Men & Mice http://menandmice.com deploying CAA 36
  37. 37. © Men & Mice http://menandmice.com DNS server support •the CAA record is supported with newer versions of popular DNS servers •BIND 9.10/9.11 •BIND 10/Bundy-DNS •LDNS •NSD •Knot DNS •PowerDNS •Google Cloud DNS •Unbound 37
  38. 38. © Men & Mice http://menandmice.com DNS server support •users of older DNS servers can publish the CAA record in the "unknown record" format (RFC 3597) •BIND 9.8/9.9 •Windows DNS 2016 •older NSD •older PowerDNS 38
  39. 39. © Men & Mice http://menandmice.com generate a CAA record •SSLmate offers an online CAA-record generator 39 https://sslmate.com/labs/caa/
  40. 40. © Men & Mice http://menandmice.com generate a CAA record •the tool "named-rrchecker" from BIND 9.11 can be used to convert a CAA-record into the RFC 3597 format useable for older DNS server 40 $ echo "IN CAA 128 issue 'letsencrypt.org'" | named-rrchecker -u CLASS1 TYPE257 # 24 80056973737565276C657473656E63727970742E6F726727
  41. 41. © Men & Mice http://menandmice.com CAA security •without DNSSEC, a malicious actor can spoof the CAA-check done by the CA to steal a certificate •while not mandated by the RFC or the CAB- Forum, it is highly recommended to secure CAA records with DNSSEC 41
  42. 42. © Men & Mice http://menandmice.com testing for CAA record •the popular TLS test at ssllabs.com tests for the presence of the CAA record: 42 https://www.ssllabs.com/ssltest/ CAA
 present
  43. 43. © Men & Mice http://menandmice.com additional information •HTTPS Certificate Issuance Becomes More Secure Thanks to New CAA Standard
 https://www.bleepingcomputer.com/news/security/https-certificate-issuance-becomes- more-secure-thanks-to-new-caa-standard/ •An Introduction to Certification Authority Authorization (CAA)
 https://www.ssl.com/article/certification-authority-authorization-caa/ •CAA Mandated by CA/Browser Forum
 https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum •Thawte - Guide to CAA
 https://www.thawte.com/assets/documents/whitepaper/caa.pdf •DNS Certification Authority Authorization (CAA) Resource Record
 https://tools.ietf.org/html/rfc6844 43
  44. 44. © Men & Mice http://menandmice.com Next 44
  45. 45. © Men & Mice http://menandmice.com Men & Mice DNS Training •Introduction to DNS & BIND Hands-On Class •August 14 – 16, 2017 (Boston (MA), USA) •September 18 – 20, 2017 (Zurich, Switzerland) 45 https://www.menandmice.com/training/
  46. 46. © Men & Mice http://menandmice.com Men & Mice DNS Training •Introduction & Advanced DNS and BIND Topics Hands-On Class •August 14 – 18, 2017 (Boston (MA), USA) •September 18 – 22, 2017 (Zurich, Switzerland) 46 https://www.menandmice.com/training/
  47. 47. © Men & Mice http://menandmice.com Men & Mice DNS Training •DNS & BIND (German Language) •May 22 – 24, 2017, Essen, DE •DNSSEC and DANE (German Language) •December 4-12, 2017, Essen, DE 47 http://linuxhotel.de/
  48. 48. © Men & Mice http://menandmice.com our next webinar 
 the DNSSEC KSK of the root rolls The DNSSEC key signing key (or KSK) of the DNS root zone will be changed (rolled) this summer. During the time between July and October, all DNSSEC validating resolvers need to get the new key material. In an ideal world, all works automagically. In this webinar we explain the KSK roll, how DNS resolver will load the new KSK with the RFC 5011 protocol, how a DNS administrator can verify that the new KSK is present in the resolvers configuration. Join us for a 45 minutes webinar with a Q&A session at the end, on Thursday, June 1st, 2017 at 5:00 PM CEST/ 3:00 PM GMT/ 11:00 AM EDT / 8:00 AM PDT. 48
  49. 49. © Men & Mice http://menandmice.com Thank you! Questions? Comments? 49

×