CAA Records: An Alternative to DANE for Protecting SSL/TLS Certificate Users
By Joe St. Sauver
I. Introduction
One of the oddities of the SSL/TLS certificate ecosystem is that there are many broadly-trusted Certificate Authorities (CAs), and EACH of those CAs (technically) has the ability to issue a trusted certificate for ANY domain.
Moreover, the mere fact that one CA may have already issued a certificate for a given domain DOESN'T prevent a second CA from also issuing a certificate for that SAME domain!
This sort of trusted-certificates-from-multiple-providers scenario can legitimately arise when a site changes from one CA to another.
However, wrong certs have been mis-issued by accident, and from time-to-time the bad guys have also figured out ways to get certificates for domains they don't legitimately control. Certificate authorities go to great lengths to ensure that this rarely happens, but even just the possibility that this could potentially occur is still worrisome.
You'd really like to have the ability to say, 'Hey, my domain ONLY obtains certificates from CA "Foo." If you see a certificate for this domain from some OTHER provider, that CA is NOT one we use, so don't trust it!'
There are now two main approaches, both DNS-based, that you can use to try to protect your domains from mis-issued certs: DANE and CAA.
Let's consider DANE first.
II. DANE ("DNS-Based Authentication of Named Entities")
DNSSEC was originally created as a way to prevent cache-poisoning and related attacks against the domain name system.
DNSSEC creates a cryptographically-signed trust hierarchy that flows from the
root domain (.) down through top-level domains (such as .com), on
through 2nd-level domains (such as example.com) to individual fully qualified
domain names (such as www.example.com). When resolving a DNSSEC-signed
domain name, the results that are received get checked to ensure that they
cryptographically validate.
That DNSSEC trust hierarchy also creates an alternative trust hierarchy for SSL/TLS certificates: DANE.
DANE can be used both as potential alternative to traditional commercial CAs, OR as a way of confirming the commercial certificate authority/the commercial certificate that a site is using. See the usage modes as described here.
Unfortunately, using DANE means that a site needs to DNSSEC-sign their zone. DNSSEC deployment has seen limited uptake to-date. For example, in the ISOC report "State of DNSSEC Deployment 2016", ISOC reports that only about 0.5 percent (1/2 of 1%) of all dot com zones are DNSSEC-signed.
The number of sites that are publishing TLSA records (needed to do DANE) is even smaller. We can check Farsight Security's passive DNS database, DNSDB, for https TLSA records for the default https port (443/TCP) by saying:
$ dnsdb_query.py -r _443._tcp.\*/TLSA -l 1000000 > _443._tcp.txt
Our output will be in "_443._tcp.txt". We can clean up that file by deleting comment lines (lines containing the literal string ";;") and blank lines by using vim (or some other preferred editor). Having done so, at the time this article was prepared, we're left with just 304 TLSA records. That's not very many.
If we reduce those records to just unique effective 2nd-level domains, we take the count of unique TLSA records down even further, to just 145 unique effective 2nd-level domains:
$ awk '{print $1}' < _443._tcp.txt | 2nd-level-dom | sort -u | wc -l
145
That's REALLY not very many. A list of these domains is attached as Appendix I. [If there are domains that are publishing TLSA domains for 443/TCP that we've missed, we'd love to hear about them.]
The other factor limiting the impact of DANE is "end-user visibility." Even if sites publish TLSA records, without a 3rd-party browser extension, most browsers won't actually check and validate a domain's DANE status. This means that even if a domain is secured with DANE, without a validating browser extension installed, you'd never know it. More significantly, if a domain is secured with DANE and you bump into someone's who's "trying something fishy," without a browser extension installed you'd not know THAT, either! Clearly, browser extensions providing end-user visibility play an important role in making DANE operationally meaningful. If you'd like to add DANE validation support to the browser you use, see Mr. Shumon Huque's excellent article. It does a very nice job of explaining how to go about adding a DANE validation extension to Firefox.
III. The Alternative to DANE: Certification Authority Authorization (CAA) Resource Records
Since DANE has not been very broadly adopted as a way of "nailing down" the CA that a site actually uses, an alternative has been developed, the CAA record as defined in RFC6844.
Checking for CAA records by broadly trusted CAs has been adopted as mandatory, effective 8 September 2017, per CAB Forum ballot. This means that if a CAA record exists for a domain, any broadly trusted CA approached to issue a certificate for that domain must check and honor the constraints imposed by a CAA record, if defined. If no CAA record exists, normal certificate issuance procedures will be followed.
We checked the June 2017 DNSDB Export data (271,530,170,657 octets) to see if we could find any CAA records. We did that with the commands:
$ dnstable_dump -r /export/dnstable/mtbl/dns.201706.M.mtbl | rg -i " CAA " > caa.txt
The "ripgrep" tool (rg) used in the above pipeline is available here.
We condensed that output to just the effective 2nd-level domains by saying:
$ awk '{print $1}' < caa.txt | 2nd-level-dom | sort -u > caa-doms-only.txt
There were 418 domains which had one or more CAA records defined. A copy of those domains can be found in Appendix II. Again, this is not a lot of domains right now, but we expect that this number will grow over time.
We took those domains and performed a "dig" (limited to just CAA records) for each such domain.
Looking at just the "issue" records, the nine most popular CAs were:
181 letsencrypt.org 72 comodoca.com 68 digicert.com 25 geotrust.com 22 symantec.com 18 globalsign.com 10 thawte.com 8 rapidssl.com 7 godaddy.com
No other CA had half a dozen or more "issue" CAA records during June 2017.
Looking at just the "issuewild" records, the only CAs with half a dozen or more "issuewild" records were:
24 "comodoca.com" 9 "digicert.com" 7 "geotrust.com"
Looking at just the iodef records, there was no email (or web) entry associated with 6 or more CAA records.
We also checked the flag value in the CAA records. Normally the flag will either be set to 0 (not critical) or 128 (critical), but we also saw a few 1s and 5s:
Count Value
416 0
37 128
8 1
2 5
IV. What This All Means and More Information
Neither DANE nor CAA is seeing much adoption and use so far, but we're just getting started. Hopefully DANE and/or CAA records will soon be a part of everyone's domain configuration!
For more information about obtaining access to DNSDB or any Farsight product, please see our services page.
Appendix I. Effective 2nd-Level-Domains With TLSA records Known to DNSDB
3a52ce780950d4d969792a2559cd519d7ee8c727.org aegee.org aha-it.ch aibor.de alessandroz.pro andrumx.com atns.de autistici.org bishnet.net calyx.net cdom.de cheetah85.eu concentrade.de couturat.fr cryptech.is cvut.cz cypherpunks.ru debian.org defcon.org deghe.io desec.io diasp.org directbox.com dns-oarc.net dnssec-tools.org dnssec-validator.cz dominion.ch dougbarton.us drupal-mode.info eclipse.id.au egaspar.pro faui2k12.de fedoraproject.org fobos.de freebsd.org freenetproject.org fsinf.at genua.fr getdnsapi.net gragnottes.fr hacklab.to had-pilot.biz hd.se heypete.com huque.com identitysec.com inter-september.at interaffairs.com isc.org itverx.com.ve j3e.de jabber.at jabber.wien jelmer.uk joergschneider.com jrg.systems jskeo.com k-ict.org kabelmail.de karatsbichl.com kd2.io keepassx.org killian.com kroesen.de krude.de kumari.net labbrack.se laquadrature.net leterbe.com litts.net logosengineering.com lopez-cloud.de lundogbendsen.dk magneds.com mailbox.org miwu.net modum.by mtexx.com nevadafiber.net nic.cz nic.fr nlnetlabs.nl nohats.ca nomagic.fr o2r.fr oakes.me.uk octopuce.fr open-to-repair.fr os3sec.org peeters.io plattnerplace.us posteo.de q3q.us qnixsoft.com qualys.network rasalf.pw richlj.eu ripe.net rop.io samba.org sathanas.de schrimpe.de securemail-wshs.de shareworx.net shevaldin.ru sidnlabs.nl simplednscrypt.org skilpa.net smile.de spdysync.com ssl-tools.net st-mail.net starka.st stratum0.net suchat.org syngenuity.com t0biii.de t37.net team666.fr telbiur.com.pl theshape.eu timo-wingender.de tlakh.xyz tltms.de toppoint.de torproject.org trex.fi ttodd.com tutanota.com tutanota.de unitymedia.de usp.br valvisio-secure.de vaucher.org verisignlabs.com weltweit-gamma.eu winpack.cf wo2forum.nl worldlist.org xacl.org xn--rrc-wrfel-u9a.dk xs-net.de ze3kr.com zijlstra-automatisering.nl zx.com
Appendix II. Effective 2nd-Level Domains With One or More CAA Records
1c.link 2scale.net 3dnews.ru 3storysoftware.com 4ty.gr 6550101.ru abouthistory.ml accra.ca actionlabs.net adblockextreme.net adblockextreme.org adderall.space aerisnetwork.com afraid.org akavita.com allen.org.za alojalia.com altarisnine.com altstu.ru am1470.com amgresources.com andovercos.com anm.gov.my appspot.com apsiyon.com archi.fr arlet.click artyland.ru asianlegend.ca astralnalog.ru athenium.com ati.su atlantis.sk atolm.net au.edu.tw azbyka.ru balkaniyum.tv baseciq.org bbn.de bcit.ca beauty24.de benefitoutsourcing.com billaud.eu.org blberza.com bmm.com.tr boatcruises.com borntobooze.com bramvanaken.be bsdly.net bum.org caddyserver.com cashcall.com cashcallmortgage.com catsbats.org ccrek.be ccu.plus cdn6.de centos.org charite.de citilink.ru clearjay.com close.com cmail19.com cmail1.com cmail20.com cmail2.com cmail3.com cmail4.com cmail5.com cmkos.cz coloradomesa.edu comodo.com concordma.gov constabel-it.de controldecuenta.com convokesystems.com corvair.org covestor.com cpanel.com crashsec.com crayons.com.au createsend1.com createsend3.com createsend4.com createsend5.com cruzio.com culvers.com cuone.org custhelp.com cyh.com.tr daladubbeln.se depechemode-live.com deskspb.ru divegearexpress.com dm.agency dns-api.com drv.de duhamel.ws e2e4online.ru eastspring.com.tw eaton-works.com ecam.fr ecivis.com edwards.me.uk elektro-breitling.de elemental.org eleprintsa.com.ar emakina.com ender-m.at e-norvik.lv epidauros.be erdgeist.org evangel.edu execuchoice.com fedoraproject.org felsing.net fenerbahce.com.tr filopto.com fission.com flow.su fpunet.com fu-berlin.de galtier.me gamblers.casino garagemhermetica.org gaugusch.at generali.ro geneseeisd.org gentoo.org getfedora.org ghaglund.se giannakazakou.gr gibertjoseph.com glasgestaltung.biz gmu.edu goipv6.hk good-solutions.ch google.com googleusercontent.com gothic.net.au grepular.com griaudio.ru guap.ru gyas.nl ha.com hamradio.pl hansvaneijsden.com haplo.org hboeck.de hbu.edu headgear.org hentai.design hinata.co.za hkdnr.hk hkirc.hk hkst.com hldns.com home-v.ind.in honigman.com hookahmarket.ru hs-mannheim.de hsntech.com hudson.com humanasset.net hur.st hv.se hypotheca.ca idnet.com ihc.ru i-med.ac.at imirhil.fr imsweb.com insomniagamingfestival.com intelius.com inwx.net ip6.li ip.com ipdynamics.de irfu.se isracard.co.il i-teco.ru jb.org jeffco.k12.co.us jku.at jobisjob.co.uk joksch.info joomlapolis.com karloluiten.nl kartoteka.by ke2.io kk7.ch kooky.org ksh-linux.info kurbits.tech kyhwana.org kylelaker.com la-evento.com lavteam.org levigo.de levittgoodmanarchitects.com liquida.it loanme.com luceed.hr lynx.bc.ca madbavarian.org madderragroup.com mahono.com markusehrlicher.de math.ca matteomarescotti.it mcarrillo.co mcdonaldhopkins.com mcn.org medfusion.com medfusion.net mentor.pl mhbh.com microtekcorporation.com migrosbank.ch minkult.com missouricom.com mkb.ru mobydog.net mojapraca.sk monitman.solutions mtc.md myownconference.ru myspacebox.net mysubwaycard.com nails.eu.org naturalworld.ru neio.uk netbasics.nl netsite.dk nevz.com newpaltz.edu nfoservers.com niagararegion.ca nic.hu nic.ua niklas.pw nodo50.org nolo.io noorbank.com nopremium.pl nordea.ru nort.io nsk.su obscuredfiles.com oktetlabs.ru onlime.ru openhireresumes.com orange.de ort.edu.uy pandora.be pari.edu parks.on.ca pasarella.eu paulhastings.com paulhastingsllp.com paypc.com pcca.com perspectives.org pojistovnacs.cz polischuk.org posteo.de premiumfunding.net.au provu.co.uk pstatic.net psychedeli.cat qcom.it quickrelief.hk rabota.ua radiogothic.net raovatmienphi.org refer.io reintechnik.at remote.net rhymeswithmogul.com rightnow.com rio2016.com rockauto.com roe.ch rojan.net rootforum.org rpavlik.cz rruq.ca samba.org sarafanka.com savbb.sk sb.by sccu.com.au scottsboro.org secure-computing.net securycast.com seek.com.au seek.co.nz sefic.name semenov.su semplicita.eu service-now.com seuffer.de sevensages.org showgroup.com.au silkroad.com silkroadtech.com skatteverket.se slevomat.cz slickdeals.net smartftp.net smsv.com.ar socionet.ru softcom.net sorincocorada.ro spamwc.de spdf.net speedy.it sro.vic.gov.au stateheritage.wa.gov.au steadfast.net storm.ca st-projects.com structuralia.ro stulda.cz suai.ru suche.org sunyrockland.edu survivalpuck.com suzuki-motor.ru symantec.com syspro.com tampaelectric.com teamclassified.ca tecoenergy.com telehouse.bg telenet.be telenet-ops.be televes.shop telmex.com tensquaregames.com thefacebook.com theiapolis.com theory.org therevenge.me thinkindifferent.net tiendeo.mx tihlde.org tjsheds.com.au tobias-kluge.de tomsoft.hr tonyrobbins.com toptropicals.com tradeville.eu tranchant.co.uk treebaglia.xyz treehouse.org.za troianet.com.br truelite.it ttf.hr uah.es uatlantica.pt uc3m.es ue.poznan.pl ufs-online.ru ugcdn.com ultrabill.net ulttk.ru unfcu.com uni-berlin.de unice.fr unido.org unileoben.ac.at uni-rostock.de uni-sofia.bg univ-tlse1.fr unlp.edu.ar uralmash.ru urjc.es uta.fi ut-capitole.fr utc.fr utu.fi uvic.cat vdorst.com vfemail.net videoculinary.ru viemeister.com vminnovations.com vnx.me voyager.hr vpsforex.ru vrn.ru vsb.cz wallawalla.edu wangqiliang.com weddingwire.com wesasoft.at whitecliffodover.net wideband.net.au wimbo.nl wo2forum.nl wolfemg.com wowhull.com wrede.ca wsprings.com wsrcc.com xcx.cc xn--06qz4d21e1w4a175akjt.xn--j6w193g xn--06qz4d21eoy3e.xn--j6w193g xn--blq35e5y3ddkclsr.xn--j6w193g xn--blq35eru2b4ynehd87sxlz.xn--j6w193g xn--fhqt35f07ipwo.xn--j6w193g xn--tigreray-i1a.org xynex.us z0p.org zamg.ac.at zeoplus.com ziroh.be
Joe St Sauver, Ph.D. is a Scientist with Farsight Security, Inc.