New Security Measure For Your Domains: Certification Authority Authorization
Even with periodic security audits and automated controls by the Certificate Authority (CA), the issuance of fraudulent certificates is not uncommon. Certificates can still be issued to someone other than the domain owner. An example of this is Symantec's recent headline of improper ownership validation which led to many certificate mis-issues over the years. With Symantec being one of the world's largest Certificate Authorities, this security flaw poses a huge risk to almost all SSL certificate customers. To overcome this, a new DNS record called Certificate Authority Authorization (CAA) has been introduced. It's a control policy that domain owners can use to specify which CA is authorized to issue certificates for a given domain. The CA/Browser Forum, an organization that combines major browser vendors and Certificate Authorities, voted to make the CAA record checking mandatory by all Certificate Authorities before they can issue a certificate. In other words, a Certificate Authority cannot issue a certificate for a domain unless they are specifically listed as an authorized CA in the CAA record.
CAA Record Format
CAA record is represented in the following format:
CAA < flag > < tag > < value >
Flag: an unsigned integer between 0-255 used to represent the critical flag. Default flag is 0. Click here for more information.
Tag: an ASCII string that represents the identifier of the property represented by the record. There are three types of tag property.
- Issue: this allows the specified Certificate Authority to issue any type of certificate for the given domain.
- Issuewild: this allows the specified Certificate Authority to issue any wildcard certificate for the given domain.
- Iodef: this allows customers to specify an e-mail address or hostname where CAs will have to send reports if they receive unauthorized certificate request for the given domain.
Value: the value associated with the tag.
As an example, we can use CAA record to only allow Comodo to issue regular and wildcard certificate for your domain.
A CAA record can be set on both the domain and the subdomain level. In this case, the CAA record for a subdomain will take precedence over the CAA record of the parent domain, regardless of whether they are more permissive or more restrictive. For example, if a CAA record is set for the parent domain only, all of its subdomain will inherit the same restriction. But if one of the subdomains has a CAA record with a different restriction than the parent domain, the subdomain CAA record will apply.
Word of Caution
Be sure to be cautious when creating CAA records. If you have other departments obtaining certificates, you need to coordinate with all departments to be sure that all Certificate Authorities in use will be added to your CAA records. This is important as CAA checking is mandatory and a Certificate Authority can't override rejected orders. Also, if you're using a content delivery network or hosting provider that provides its own certificates through a different Certificate Authority, this has to be taken into account. As a quick check, you may want to query for certificates issued to your domain using this link, which will return a list of the issuing Certificate Authorities for the domain.