When you ask a Certificate Authority to issue an SSL certificate for a domain, you have to prove that you control that domain. For Domain Validated certificates, that often involves uploading a special file to a server connected to the domain. If the file provided by the CA appears on the server, they know you’re in control.
In most cases, that’s a valid way to show who controls the domain. But, if a hacker compromised a WordPress or Magento site, they might be able to upload a verification file. There’s a flaw in the system that can be used by malicious individuals to influence a Certificate Authority to issue a certificate for a domain they don’t have legitmate control over. They have control over the site, but that control isn’t legitimate. Certificate Authority Authorization records are intended to close that loop in the verification process.
Certification Authority Authorization (CAA) records are a “new” (the RFC for the proposed standard was technically released in 2013) DNS record type, which will be used by Certificate Authorities (CAs) to add an additional layer of security for domain holders in regard to SSL certificates being provisioned under their name.
The CA/Browser forum – a voluntary group of companies such as Google, Mozilla, and Comodo – took a vote on making the use of these records mandatory, which passed earlier this year.
This means that major browsers will only trust certificates if they’re issued by a Certificate Authority that checks CAA records as part of its process. If the domain owner sets the CAA DNS record, Certificate Authorities have to respect the contents of that record.
How CAA Records Work
In order to help explain this better I’ve provided an example below:
We’ll presume Acme Company, Inc. controls example.com and only uses Comodo as their CA. The admins for their domain/DNS zone create the following CAA record:
example.com. IN CAA 0 issue "comodoca.com"
When the admins for example.com submit a request to Comodo to create a new SSL certificate for their domain, Comodo then runs a lookup against the domain’s existing CAA records to determine if they are permitted to issue the certificate. Upon seeing that the record exists and references them, they proceed with the creation of the certificate.
It’s worth noting that CAAs don’t take the place of current verification/validation procedures for SSL provisioning, but rather add an additional layer to cover situations that were not handled under the existing processes.
To dive into some specifics on how the records themselves are laid out, I’ve provided examples below for each “property tag” that can be specified:
As shown above, the “issue” property tag specifies a specific CA that is authorized to provision certificates for the domain in question.
example.com. IN CAA 0 issue "comodoca.com"
Exactly the same as issue, however this allows for wildcard certificates to be issued as well
example.com. IN CAA 0 issuewild "comodoca.com"
This property tag currently isn’t fully supported by all CAs, however its purpose is to provide further information such as E-Mail addresses, that can be used by CAs in situations where there’s an issue with the certificate itself or in cases where someone may have made an attempt to request a certificate be created that violates any other CAA record property tag rules.
example.com. IN CAA 0 iodef "mailto:email@example.com"
What Do CAAs Mean For Nexcess Customers?
This is a good thing. There have been countless events in previous years in which malicious parties have been able to provision certificates for domains that they don’t have control over. This new enforcement tool provides companies and individuals with another layer of security for their domains and the certificates issued under them.
In addition to all of the above, CAs are only enforcing these rules if the records exist. If you’d rather not use them (though I’d highly recommend doing so) your interactions with CAs when purchasing a certificate will be the same as they always have.
We’re proud to announce that we’ve implemented full support for CAA records within Portal and you can log in and get started with creating those today.
As always, if you have any questions regarding these records or need assistance with creating them, you can contact the best Support Team in the world by opening a ticket, E-Mailing firstname.lastname@example.org, or by contacting us via phone at any time.Posted in: Security, Webmaster