The CAA-Record for increased encryption security

© Men & Mice http://menandmice.com
DNS Certification Authority
Authorization (CAA)  
Resource Record
what will change in September?
1

Agenda
1. Brief overview on the CAA record
2. How CAA is used
3. CAA mandatory from September 2017
4. Detail look on CAA
1. ISSUE and ISSUEWILD
2. IODEF - Reporting misuse
3. The flags
4. Custom CAA values
5. Hierarchical CAA
5. Deploying CAA
2

a brief overview of the CAA
record
3

CAA record
• the CAA (Certification Authority Authorization) record
whitelists one or more certification authorities (CA) to
issue x509 certificates (SSL/TLS, HTTPS etc) for a
specific domain
• starting from September 2017, CAs with a root
certificate in one of the major web-browsers must
check for the CAA record and must follow the content
of CAA when issuing new certificates
• the CAA record is defined in 
RFC 6844 - https://datatracker.ietf.org/doc/rfc6844/
4

certificate request w/o CAA
5
Client generates a keypair
certificate signing request
send to CA
Client CA A
Web-
Server
example.com
DNS-
Server

6
CA-signed public key
(aka certificate)
Client
Web-
Server
example.com
DNS-
Server
CA A

7
x509 certificate
deployed on
web-server
Client
Web-
Server
example.com
DNS-
Server
CA A

certificate mis-issue
8

9
send to CA
Client
DNS-
Server
malicious
actorWeb-
Server
example.com
for example.com
CA B

10
Client
DNS-
Server
malicious
actorWeb-
Server
example.com
(aka certificate)
CA B

certificate request with CAA
11

12
send to CA
Client CA A
Web-
Server
example.com
DNS-
Server

13
fetch CAA record
Client CA A
Web-
Server
example.com
DNS-
Server

14
fetch CAA record
Client CA A
Web-
Server
example.com
DNS-
Server
check CAA
record
content

15
(aka certificate)
Client CA A
Web-
Server
example.com
DNS-
Server

16
x509 certificate
deployed on
web-server
Client CA A
Web-
Server
example.com
DNS-
Server

certificate mis-issue  
(prevented by CAA)
17

18
send to CA
Client CA B
DNS-
Server
malicious
actorWeb-
Server
example.com
for example.com

19
Client CA B
DNS-
Server
malicious
actorWeb-
Server
example.com
fetch CAA record

20
Client CA B
DNS-
Server
malicious
actorWeb-
Server
example.com
fetch CAA record
check CAA
record
content

21
Client CA B
DNS-
Server
malicious
actorWeb-
Server
example.com

what is changing in
September?
22

CAB-Forum
•the CA/Browser (CAB) forum set the rules for
publishing the root-certificates of CAs in Web-
browser 
https://cabforum.org
•CAs and browser vendors are members of the
CAB forum
•the CAB-Forum has decided that checking the
CAA-record is mandatory for member CAs starting
in September 2017
23
https://cabforum.org/pipermail/public/2017-March/009917.html

CAB-Forum
•the CAB-Forum does NOT(!) mandate that CA
customers requesting a certificate from a CA must
have a CAA-record
•however some CAs mandate CAA as part of their
own policy
•customers can still request certificates from a CA
without having a CAA record
•but not having CAA is less secure
24

a detail look at CAA
25

CAA-Record
•the CAA "issue" property
26
example.org. CAA 128 issue "letsencrypt.org"
Domain
for the
certificate
CAA record
type

CAA-Record
27
Flags
Flags:
0 = property not critical, if the CA cannot
understand the property, the CAA record-set
can still be used
128 = property is critical, if the CA does not
understand the property, the CA is not
allowed to use the CAA information

CAA-Record
28
property
property: currently defined by RFC 6844
issue: listed CA is permitted to issue a normal
(non wildcard) certificate for the domain
issuewild: listed CA is permitted to issue a
wildcard certificate for the domain
iodef: address to report CAA policy violations
back to the customer

CAA-Record
29
value
Value for issue and issuewild: base domain
name of the CA permitted to issue certificate
for this domain

CAA-Record
•the CAA "issuewild" property
30
example.org. CAA 128 issuewild "letsencrypt.org"
issuewild
property
issuewild: domain name of the CA permitted
to issue a wildcard certificate for this domain
(*.example.com)

CAA-Record
31
example.org. CAA 128 issue ";"
value
a single semicolon ";" prevents any CA from
issuing certificates for this domain

CAA-Record
•the CAA "iodef" property
32
example.org. CAA 128 iodef "mailto:security@example.com"
example.org. CAA 128 iodef "https://iodef-report.example.com"
mail
address for
reports
the property IODEF defines a report channel
that a CA can use to report malicious CA
request
Report format is defined in RFC 6546
"Transport of Real-time Inter-network Defense
(RID) Messages over HTTP/TLS"
web URL
for
reporting
misuse
https://tools.ietf.org/rfc/rfc6546.txt
https://en.wikipedia.org/wiki/Incident_Object_Description_Exchange_Format#Example

CAA-Record
•CA private properties
33
example.org. CAA 128 issue "ca.domain.tld; maxvalidity=360"
standard
value
in addition to the values defined in RFC 6844,
CAs can define private property values.
Different property values are separated by
semicolon ";" extra
property
value

CAA-Record
•semicolon in CAA-record
34
example.org. CAA 128 issue "ca.domain.tld; maxvalidity=360"
some BIND 9 tools will escape
semicolon ";" with a backslash ""  
(for example dnssec-signzone)
escaped
semicolon
https://www.mail-archive.com/bind-users@lists.isc.org/msg24423.html

CAA-Record
•hierarchical CAA
35
example.org. CAA 128 issue "ca-a.domain.tld"
us.example.org. CAA 128 issue "ca-b.domain.tld"
ny.us.example.org. CAA 128 issue "ca-x.domain.tld"
a CA must follow the DNS
delegation chain upwards until it
finds a matching CAA record
(stops at top level domain)
this allows different CAs for
branches in the DNS tree
ny.us.example.com
us.example.com
example.com
com
"."
asia.example.com
cert from
ca-b
cert from
ca-acert from
ca-x

deploying CAA
36

DNS server support
•the CAA record is
supported with newer
versions of popular
DNS servers
•BIND 9.10/9.11
•BIND 10/Bundy-DNS
•LDNS
•NSD
•Knot DNS
•PowerDNS
•Google Cloud DNS
•Unbound
37

DNS server support
•users of older DNS servers can publish the CAA
record in the "unknown record" format (RFC 3597)
•BIND 9.8/9.9
•Windows DNS 2016
•older NSD
•older PowerDNS
38

generate a CAA record
•SSLmate offers an online CAA-record generator
39
https://sslmate.com/labs/caa/

generate a CAA record
•the tool "named-rrchecker" from BIND 9.11 can be
used to convert a CAA-record into the RFC 3597
format useable for older DNS server
40
$ echo "IN CAA 128 issue 'letsencrypt.org'" | named-rrchecker -u
CLASS1 TYPE257 # 24 80056973737565276C657473656E63727970742E6F726727

CAA security
•without DNSSEC, a malicious actor can spoof the
CAA-check done by the CA to steal a certificate
•while not mandated by the RFC or the CAB-
Forum, it is highly recommended to secure CAA
records with DNSSEC
41

testing for CAA record
•the popular TLS test at ssllabs.com tests for the
presence of the CAA record:
42
https://www.ssllabs.com/ssltest/
CAA 
present

additional information
•HTTPS Certificate Issuance Becomes More Secure Thanks to New
CAA Standard 
https://www.bleepingcomputer.com/news/security/https-certificate-issuance-becomes-
more-secure-thanks-to-new-caa-standard/
•An Introduction to Certification Authority Authorization (CAA) 
https://www.ssl.com/article/certification-authority-authorization-caa/
•CAA Mandated by CA/Browser Forum 
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
•Thawte - Guide to CAA 
https://www.thawte.com/assets/documents/whitepaper/caa.pdf
•DNS Certification Authority Authorization (CAA) Resource Record 
https://tools.ietf.org/html/rfc6844
43

Next
44

Men & Mice DNS Training
•Introduction to DNS & BIND Hands-On Class
•August 14 – 16, 2017 (Boston (MA), USA)
•September 18 – 20, 2017 (Zurich, Switzerland)
45
https://www.menandmice.com/training/

•Introduction & Advanced DNS and BIND Topics
Hands-On Class
•August 14 – 18, 2017 (Boston (MA), USA)
•September 18 – 22, 2017 (Zurich, Switzerland)
46
https://www.menandmice.com/training/

•DNS & BIND (German Language)
•May 22 – 24, 2017, Essen, DE
•DNSSEC and DANE (German Language)
•December 4-12, 2017, Essen, DE
47
http://linuxhotel.de/

our next webinar  
the DNSSEC KSK of the root rolls
The DNSSEC key signing key (or KSK) of the DNS root zone will be
changed (rolled) this summer. During the time between July and
October, all DNSSEC validating resolvers need to get the new key
material.
In an ideal world, all works automagically.
In this webinar we explain the KSK roll, how DNS resolver will load
the new KSK with the RFC 5011 protocol, how a DNS administrator
can verify that the new KSK is present in the resolvers configuration.
Join us for a 45 minutes webinar with a Q&A session at the end, on
Thursday, June 1st, 2017 at 5:00 PM CEST/ 3:00 PM GMT/ 11:00
AM EDT / 8:00 AM PDT.
48

Thank you!
Questions? Comments?
49

The CAA-Record for increased encryption security

More Related Content

What's hot

Similar to The CAA-Record for increased encryption security

More from Men and Mice

Recently uploaded

The CAA-Record for increased encryption security