DNS Certification Authority Authorization

DNS Certification Authority Authorization
StatusProposed Standard
First publishedOctober 18, 2010 (2010-10-18)
Latest versionRFC 8659
November 2019
OrganizationIETF
Authors
AbbreviationCAA

DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record.

It was drafted by computer scientists Phillip Hallam-Baker and Rob Stradling in response to increasing concerns about the security of publicly trusted certificate authorities. It is an Internet Engineering Task Force (IETF) proposed standard.

Background

A series of incorrectly issued certificates from 2001 onwards damaged trust in publicly trusted certificate authorities, and accelerated work on various security mechanisms, including Certificate Transparency to track mis-issuance, HTTP Public Key Pinning and DANE to block mis-issued certificates on the client-side, and CAA to block mis-issuance on the certificate authority side.

The first draft of CAA was written by Phillip Hallam-Baker and Rob Stradling, and submitted as an IETF Internet Draft in October 2010. This was progressively improved by the PKIX Working Group, and approved by the IESG as RFC 6844, a Proposed Standard, in January 2013. CA/Browser Forum discussion began shortly afterward, and in March 2017 they voted in favor of making CAA implementation mandatory for all certificate authorities by September 2017. At least one certificate authority, Comodo, failed to implement CAA before the deadline. A 2017 study by the Technical University of Munich found many instances where certificate authorities failed to correctly implement some part of the standard.

In September 2017, Jacob Hoffman-Andrews submitted an Internet Draft intended to simplify the CAA standard. This was improved by the LAMPS Working Group, and approved as RFC 8659, a Proposed Standard, in November 2019.

As of January 2020, Qualys reports that still, only 6.8% of the 150,000 most popular TLS-supporting websites use CAA records.

Record

Certificate authorities implementing CAA perform a DNS lookup for CAA resource records, and if any are found, ensure that they are listed as an authorized party before issuing a digital certificate. Each CAA resource record consists of the following components:

flag
A flags byte which implements an extensible signaling system for future use. As of 2018, only the issuer critical flag has been defined, which instructs certificate authorities that they must understand the corresponding property tag before issuing a certificate. This flag allows the protocol to be extended in the future with mandatory extensions, similar to critical extensions in X.509 certificates.
tag
One of the following property:
issue
This property authorizes the holder of the domain specified in associated property value to issue certificates for the domain for which the property is published.
issuewild
This property acts like issue but only authorizes the issuance of wildcard certificates, and takes precedence over the issue property for wildcard certificate requests.
iodef
This property specifies a method for certificate authorities to report invalid certificate requests to the domain name holder using the Incident Object Description Exchange Format. As of 2018, not all certificate authorities support this tag, so there is no guarantee that all certificate issuances will be reported.
contactemail
Increasingly, contact information is not available in WHOIS due to concerns about potential GDPR violations. This property allows domain holders to publish contact information in DNS.
contactphone
As above, for phone numbers.
value
The value associated with the chosen property tag.

The lack of any CAA records authorizes normal unrestricted issuance, and the presence of a single blank issue tag disallows all issuance.

Third parties monitoring certificate authority behavior might check newly issued certificates against the domain's CAA records, but must be aware that a domain's CAA records may have changed between the time the certificate was issued and the time the third-party checks them. Clients must not use CAA as part of their certificate validation process.

Extensions

RFC 8657 specifies "accounturi" and "validationmethods" parameters which allow users to specify desired methods of domain control validation as defined in ACME protocol. For example, website administrator can bind a domain they control to particular account registered with their desired Certification Authority.

History

A draft of the first extension to the CAA standard was published on October 26, 2016, proposing a new account-uri token to the end of the issue property, which ties a domain to a specific Automated Certificate Management Environment account. This was amended on August 30, 2017, to also include a new validation-methods token, which ties a domain to a specific validation method, and then further amended on June 21, 2018 to remove the hyphen in account-uri and validation-methods making them instead accounturi and validationmethods.

Examples

To indicate that only the certificate authority identified by ca.example.net is authorized to issue certificates for example.com and all subdomains, one may use this CAA record:

example.com.  IN  CAA 0 issue "ca.example.net"

To disallow any certificate issuance, one may allow issuance only to an empty issuer list:

example.com.  IN  CAA  0 issue ";"

To indicate that certificate authorities should report invalid certificate requests to an email address and a Real-time Inter-network Defense endpoint:

example.com.  IN  CAA 0 iodef "mailto:[email protected]"
example.com.  IN  CAA 0 iodef "http://iodef.example.com/"

To use a future extension of the protocol, for example, one which defines a new future property, which needs to be understood by the certificate authority before they can safely proceed, one may set the issuer critical flag:

example.com.  IN  CAA  0 issue "ca.example.net"
example.com.  IN  CAA  128 future "value"

Known compliance incidents

In 2017, Camerfirma was found to improperly validate CAA records. Camerfirma claimed to have misunderstood the CA/Browser Forum Baseline Requirements describing CAA validation.

In early 2020, Let's Encrypt disclosed that their software improperly queried and validated CAA records potentially affecting over 3 million certificates. Let's Encrypt worked with customers and site operators to replace over 1.7 million certificates, but decided not to revoke the rest to avoid client downtime and since the affected certificates would all expire in less than 90 days.

See also


This page was last updated at 2021-11-10 21:36 UTC. Update now. View original page.

All our content comes from Wikipedia and under the Creative Commons Attribution-ShareAlike License.


Top

If mathematical, chemical, physical and other formulas are not displayed correctly on this page, please useFirefox or Safari