CAA Records: An Alternative to DANE for Protecting SSL/TLS Certificate Users

← Blog Home

RSS

By

I. Introduction

One of the oddities of the SSL/TLS certificate ecosystem is that there are many broadly-trusted Certificate Authorities (CAs), and EACH of those CAs (technically) has the ability to issue a trusted certificate for ANY domain.

Moreover, the mere fact that one CA may have already issued a certificate for a given domain DOESN’T prevent a second CA from also issuing a certificate for that SAME domain!

This sort of trusted-certificates-from-multiple-providers scenario can legitimately arise when a site changes from one CA to another.

However, wrong certs have been mis-issued by accident, and from time-to-time the bad guys have also figured out ways to get certificates for domains they don’t legitimately control. Certificate authorities go to great lengths to ensure that this rarely happens, but even just the possibility that this could potentially occur is still worrisome.

You’d really like to have the ability to say, ‘Hey, my domain ONLY obtains certificates from CA “Foo.” If you see a certificate for this domain from some OTHER provider, that CA is NOT one we use, so don’t trust it!’

There are now two main approaches, both DNS-based, that you can use to try to protect your domains from mis-issued certs: DANE and CAA.

Let’s consider DANE first.

II. DANE (“DNS-Based Authentication of Named Entities”)

DNSSEC was originally created as a way to prevent cache-poisoning and related attacks against the domain name system.

DNSSEC creates a cryptographically-signed trust hierarchy that flows from the root domain (.) down through top-level domains (such as .com), on through 2nd-level domains (such as example.com) to individual fully qualified domain names (such as www.example.com). When resolving a DNSSEC-signed domain name, the results that are received get checked to ensure that they cryptographically validate.

That DNSSEC trust hierarchy also creates an alternative trust hierarchy for SSL/TLS certificates: DANE.

DANE can be used both as potential alternative to traditional commercial CAs, OR as a way of confirming the commercial certificate authority/the commercial certificate that a site is using. See the usage modes as described here.

Unfortunately, using DANE means that a site needs to DNSSEC-sign their zone. DNSSEC deployment has seen limited uptake to-date. For example, in the ISOC report “State of DNSSEC Deployment 2016”, ISOC reports that only about 0.5 percent (1/2 of 1%) of all dot com zones are DNSSEC-signed.

The number of sites that are publishing TLSA records (needed to do DANE) is even smaller. We can check Farsight Security’s passive DNS database, DNSDB, for https TLSA records for the default https port (443/TCP) by saying:

$ dnsdb_query.py -r _443._tcp.\*/TLSA -l 1000000 > _443._tcp.txt

Our output will be in “_443._tcp.txt”. We can clean up that file by deleting comment lines (lines containing the literal string “;;”) and blank lines by using vim (or some other preferred editor). Having done so, at the time this article was prepared, we’re left with just 304 TLSA records. That’s not very many.

If we reduce those records to just unique effective 2nd-level domains, we take the count of unique TLSA records down even further, to just 145 unique effective 2nd-level domains:

$ awk '{print $1}' < _443._tcp.txt | 2nd-level-dom | sort -u | wc -l
    145

That’s REALLY not very many. A list of these domains is attached as Appendix I. [If there are domains that are publishing TLSA domains for 443/TCP that we’ve missed, we’d love to hear about them.]

The other factor limiting the impact of DANE is “end-user visibility.” Even if sites publish TLSA records, without a 3rd-party browser extension, most browsers won’t actually check and validate a domain’s DANE status. This means that even if a domain is secured with DANE, without a validating browser extension installed, you’d never know it. More significantly, if a domain is secured with DANE and you bump into someone’s who’s “trying something fishy,” without a browser extension installed you’d not know THAT, either! Clearly, browser extensions providing end-user visibility play an important role in making DANE operationally meaningful. If you’d like to add DANE validation support to the browser you use, see Mr. Shumon Huque’s excellent article. It does a very nice job of explaining how to go about adding a DANE validation extension to Firefox.

III. The Alternative to DANE: Certification Authority Authorization (CAA) Resource Records

Since DANE has not been very broadly adopted as a way of “nailing down” the CA that a site actually uses, an alternative has been developed, the CAA record as defined in RFC6844.

Checking for CAA records by broadly trusted CAs has been adopted as mandatory, effective 8 September 2017, per CAB Forum ballot. This means that if a CAA record exists for a domain, any broadly trusted CA approached to issue a certificate for that domain must check and honor the constraints imposed by a CAA record, if defined. If no CAA record exists, normal certificate issuance procedures will be followed.

We checked the June 2017 DNSDB Export data (271,530,170,657 octets) to see if we could find any CAA records. We did that with the commands:

$ dnstable_dump -r /export/dnstable/mtbl/dns.201706.M.mtbl | rg -i " CAA " > caa.txt

The “ripgrep” tool (rg) used in the above pipeline is available here.

We condensed that output to just the effective 2nd-level domains by saying:

$ awk '{print $1}' < caa.txt | 2nd-level-dom | sort -u > caa-doms-only.txt

There were 418 domains which had one or more CAA records defined. A copy of those domains can be found in Appendix II. Again, this is not a lot of domains right now, but we expect that this number will grow over time.

We took those domains and performed a “dig” (limited to just CAA records) for each such domain.

Looking at just the “issue” records, the nine most popular CAs were:

181 letsencrypt.org
72 comodoca.com
68 digicert.com
25 geotrust.com
22 symantec.com
18 globalsign.com
10 thawte.com
8 rapidssl.com
7 godaddy.com

No other CA had half a dozen or more “issue” CAA records during June 2017.

Looking at just the “issuewild” records, the only CAs with half a dozen or more “issuewild” records were:

24 "comodoca.com"
9 "digicert.com"
7 "geotrust.com"

Looking at just the iodef records, there was no email (or web) entry associated with 6 or more CAA records.

We also checked the flag value in the CAA records. Normally the flag will either be set to 0 (not critical) or 128 (critical), but we also saw a few 1s and 5s:

      Count    Value
        416    0
         37    128
         8     1
         2     5

IV. What This All Means and More Information

Neither DANE nor CAA is seeing much adoption and use so far, but we’re just getting started. Hopefully DANE and/or CAA records will soon be a part of everyone’s domain configuration!

For more information about obtaining access to DNSDB or any Farsight product, please see our services page.

Appendix I. Effective 2nd-Level-Domains With TLSA records Known to DNSDB

3a52ce780950d4d969792a2559cd519d7ee8c727.org
aegee.org
aha-it.ch
aibor.de
alessandroz.pro
andrumx.com
atns.de
autistici.org
bishnet.net
calyx.net
cdom.de
cheetah85.eu
concentrade.de
couturat.fr
cryptech.is
cvut.cz
cypherpunks.ru
debian.org
defcon.org
deghe.io
desec.io
diasp.org
directbox.com
dns-oarc.net
dnssec-tools.org
dnssec-validator.cz
dominion.ch
dougbarton.us
drupal-mode.info
eclipse.id.au
egaspar.pro
faui2k12.de
fedoraproject.org
fobos.de
freebsd.org
freenetproject.org
fsinf.at
genua.fr
getdnsapi.net
gragnottes.fr
hacklab.to
had-pilot.biz
hd.se
heypete.com
huque.com
identitysec.com
inter-september.at
interaffairs.com
isc.org
itverx.com.ve
j3e.de
jabber.at
jabber.wien
jelmer.uk
joergschneider.com
jrg.systems
jskeo.com
k-ict.org
kabelmail.de
karatsbichl.com
kd2.io
keepassx.org
killian.com
kroesen.de
krude.de
kumari.net
labbrack.se
laquadrature.net
leterbe.com
litts.net
logosengineering.com
lopez-cloud.de
lundogbendsen.dk
magneds.com
mailbox.org
miwu.net
modum.by
mtexx.com
nevadafiber.net
nic.cz
nic.fr
nlnetlabs.nl
nohats.ca
nomagic.fr
o2r.fr
oakes.me.uk
octopuce.fr
open-to-repair.fr
os3sec.org
peeters.io
plattnerplace.us
posteo.de
q3q.us
qnixsoft.com
qualys.network
rasalf.pw
richlj.eu
ripe.net
rop.io
samba.org
sathanas.de
schrimpe.de
securemail-wshs.de
shareworx.net
shevaldin.ru
sidnlabs.nl
simplednscrypt.org
skilpa.net
smile.de
spdysync.com
ssl-tools.net
st-mail.net
starka.st
stratum0.net
suchat.org
syngenuity.com
t0biii.de
t37.net
team666.fr
telbiur.com.pl
theshape.eu
timo-wingender.de
tlakh.xyz
tltms.de
toppoint.de
torproject.org
trex.fi
ttodd.com
tutanota.com
tutanota.de
unitymedia.de
usp.br
valvisio-secure.de
vaucher.org
verisignlabs.com
weltweit-gamma.eu
winpack.cf
wo2forum.nl
worldlist.org
xacl.org
xn--rrc-wrfel-u9a.dk
xs-net.de
ze3kr.com
zijlstra-automatisering.nl
zx.com

Appendix II. Effective 2nd-Level Domains With One or More CAA Records

1c.link
2scale.net
3dnews.ru
3storysoftware.com
4ty.gr
6550101.ru
abouthistory.ml
accra.ca
actionlabs.net
adblockextreme.net
adblockextreme.org
adderall.space
aerisnetwork.com
afraid.org
akavita.com
allen.org.za
alojalia.com
altarisnine.com
altstu.ru
am1470.com
amgresources.com
andovercos.com
anm.gov.my
appspot.com
apsiyon.com
archi.fr
arlet.click
artyland.ru
asianlegend.ca
astralnalog.ru
athenium.com
ati.su
atlantis.sk
atolm.net
au.edu.tw
azbyka.ru
balkaniyum.tv
baseciq.org
bbn.de
bcit.ca
beauty24.de
benefitoutsourcing.com
billaud.eu.org
blberza.com
bmm.com.tr
boatcruises.com
borntobooze.com
bramvanaken.be
bsdly.net
bum.org
caddyserver.com
cashcall.com
cashcallmortgage.com
catsbats.org
ccrek.be
ccu.plus
cdn6.de
centos.org
charite.de
citilink.ru
clearjay.com
close.com
cmail19.com
cmail1.com
cmail20.com
cmail2.com
cmail3.com
cmail4.com
cmail5.com
cmkos.cz
coloradomesa.edu
comodo.com
concordma.gov
constabel-it.de
controldecuenta.com
convokesystems.com
corvair.org
covestor.com
cpanel.com
crashsec.com
crayons.com.au
createsend1.com
createsend3.com
createsend4.com
createsend5.com
cruzio.com
culvers.com
cuone.org
custhelp.com
cyh.com.tr
daladubbeln.se
depechemode-live.com
deskspb.ru
divegearexpress.com
dm.agency
dns-api.com
drv.de
duhamel.ws
e2e4online.ru
eastspring.com.tw
eaton-works.com
ecam.fr
ecivis.com
edwards.me.uk
elektro-breitling.de
elemental.org
eleprintsa.com.ar
emakina.com
ender-m.at
e-norvik.lv
epidauros.be
erdgeist.org
evangel.edu
execuchoice.com
fedoraproject.org
felsing.net
fenerbahce.com.tr
filopto.com
fission.com
flow.su
fpunet.com
fu-berlin.de
galtier.me
gamblers.casino
garagemhermetica.org
gaugusch.at
generali.ro
geneseeisd.org
gentoo.org
getfedora.org
ghaglund.se
giannakazakou.gr
gibertjoseph.com
glasgestaltung.biz
gmu.edu
goipv6.hk
good-solutions.ch
google.com
googleusercontent.com
gothic.net.au
grepular.com
griaudio.ru
guap.ru
gyas.nl
ha.com
hamradio.pl
hansvaneijsden.com
haplo.org
hboeck.de
hbu.edu
headgear.org
hentai.design
hinata.co.za
hkdnr.hk
hkirc.hk
hkst.com
hldns.com
home-v.ind.in
honigman.com
hookahmarket.ru
hs-mannheim.de
hsntech.com
hudson.com
humanasset.net
hur.st
hv.se
hypotheca.ca
idnet.com
ihc.ru
i-med.ac.at
imirhil.fr
imsweb.com
insomniagamingfestival.com
intelius.com
inwx.net
ip6.li
ip.com
ipdynamics.de
irfu.se
isracard.co.il
i-teco.ru
jb.org
jeffco.k12.co.us
jku.at
jobisjob.co.uk
joksch.info
joomlapolis.com
karloluiten.nl
kartoteka.by
ke2.io
kk7.ch
kooky.org
ksh-linux.info
kurbits.tech
kyhwana.org
kylelaker.com
la-evento.com
lavteam.org
levigo.de
levittgoodmanarchitects.com
liquida.it
loanme.com
luceed.hr
lynx.bc.ca
madbavarian.org
madderragroup.com
mahono.com
markusehrlicher.de
math.ca
matteomarescotti.it
mcarrillo.co
mcdonaldhopkins.com
mcn.org
medfusion.com
medfusion.net
mentor.pl
mhbh.com
microtekcorporation.com
migrosbank.ch
minkult.com
missouricom.com
mkb.ru
mobydog.net
mojapraca.sk
monitman.solutions
mtc.md
myownconference.ru
myspacebox.net
mysubwaycard.com
nails.eu.org
naturalworld.ru
neio.uk
netbasics.nl
netsite.dk
nevz.com
newpaltz.edu
nfoservers.com
niagararegion.ca
nic.hu
nic.ua
niklas.pw
nodo50.org
nolo.io
noorbank.com
nopremium.pl
nordea.ru
nort.io
nsk.su
obscuredfiles.com
oktetlabs.ru
onlime.ru
openhireresumes.com
orange.de
ort.edu.uy
pandora.be
pari.edu
parks.on.ca
pasarella.eu
paulhastings.com
paulhastingsllp.com
paypc.com
pcca.com
perspectives.org
pojistovnacs.cz
polischuk.org
posteo.de
premiumfunding.net.au
provu.co.uk
pstatic.net
psychedeli.cat
qcom.it
quickrelief.hk
rabota.ua
radiogothic.net
raovatmienphi.org
refer.io
reintechnik.at
remote.net
rhymeswithmogul.com
rightnow.com
rio2016.com
rockauto.com
roe.ch
rojan.net
rootforum.org
rpavlik.cz
rruq.ca
samba.org
sarafanka.com
savbb.sk
sb.by
sccu.com.au
scottsboro.org
secure-computing.net
securycast.com
seek.com.au
seek.co.nz
sefic.name
semenov.su
semplicita.eu
service-now.com
seuffer.de
sevensages.org
showgroup.com.au
silkroad.com
silkroadtech.com
skatteverket.se
slevomat.cz
slickdeals.net
smartftp.net
smsv.com.ar
socionet.ru
softcom.net
sorincocorada.ro
spamwc.de
spdf.net
speedy.it
sro.vic.gov.au
stateheritage.wa.gov.au
steadfast.net
storm.ca
st-projects.com
structuralia.ro
stulda.cz
suai.ru
suche.org
sunyrockland.edu
survivalpuck.com
suzuki-motor.ru
symantec.com
syspro.com
tampaelectric.com
teamclassified.ca
tecoenergy.com
telehouse.bg
telenet.be
telenet-ops.be
televes.shop
telmex.com
tensquaregames.com
thefacebook.com
theiapolis.com
theory.org
therevenge.me
thinkindifferent.net
tiendeo.mx
tihlde.org
tjsheds.com.au
tobias-kluge.de
tomsoft.hr
tonyrobbins.com
toptropicals.com
tradeville.eu
tranchant.co.uk
treebaglia.xyz
treehouse.org.za
troianet.com.br
truelite.it
ttf.hr
uah.es
uatlantica.pt
uc3m.es
ue.poznan.pl
ufs-online.ru
ugcdn.com
ultrabill.net
ulttk.ru
unfcu.com
uni-berlin.de
unice.fr
unido.org
unileoben.ac.at
uni-rostock.de
uni-sofia.bg
univ-tlse1.fr
unlp.edu.ar
uralmash.ru
urjc.es
uta.fi
ut-capitole.fr
utc.fr
utu.fi
uvic.cat
vdorst.com
vfemail.net
videoculinary.ru
viemeister.com
vminnovations.com
vnx.me
voyager.hr
vpsforex.ru
vrn.ru
vsb.cz
wallawalla.edu
wangqiliang.com
weddingwire.com
wesasoft.at
whitecliffodover.net
wideband.net.au
wimbo.nl
wo2forum.nl
wolfemg.com
wowhull.com
wrede.ca
wsprings.com
wsrcc.com
xcx.cc
xn--06qz4d21e1w4a175akjt.xn--j6w193g
xn--06qz4d21eoy3e.xn--j6w193g
xn--blq35e5y3ddkclsr.xn--j6w193g
xn--blq35eru2b4ynehd87sxlz.xn--j6w193g
xn--fhqt35f07ipwo.xn--j6w193g
xn--tigreray-i1a.org
xynex.us
z0p.org
zamg.ac.at
zeoplus.com
ziroh.be

Joe St Sauver, Ph.D. is a Scientist with Farsight Security, Inc.

← Blog Home

Protect against cybercriminal activity in real-time.

Request demo

Email: sales@farsightsecurity.com Phone: +1-650-489-7919