How to use CAA records to prevent domain name certificate hijacking - Alibaba Cloud DNS

Set CAA records for your domain to improve website security. This topic explains the background of the Certification Authority Authorization (CAA) standard and how to configure and verify CAA records using Alibaba Cloud DNS.

Background

Approximately 100 certification authorities (CAs) worldwide are authorized to issue HTTPS certificates that verify your website’s identity. However, some CAs may be added to a browser’s blacklist and publicly declared untrusted. When you visit a website that uses certificates from such CAs, browsers such as Google Chrome and Firefox display a warning: “HTTPS certificate is not trusted.” A red line appears through the HTTPS indicator in the address bar, and the page fails to load.

Certification Authority Authorization (CAA) is a security measure that prevents unauthorized issuance of HTTPS certificates. The Internet Engineering Task Force (IETF) approved the CAA standard in January 2013 as RFC 6844. In March 2017, the CA/Browser Forum passed Ballot 187, requiring all CAs to perform mandatory CAA checks starting September 8, 2017.

The CAA standard enables domain owners to authorize only specific CAs to issue certificates for their domains. This helps prevent unauthorized or incorrect certificate issuance. Alibaba Cloud DNS supports CAA records.

CAA record format

A CAA record has the format: [flag] [tag] [value]. It consists of a one-byte [flag] and a property pair—[tag]-[value]—also called a label-value pair. You can add multiple CAA records to a domain’s DNS configuration.

Field	Description
flag	An unsigned integer between 0 and 255. It signals how a CA should handle the record. Set it to 0 in most cases. A value of 0 means the CA must ignore the record if it does not recognize the tag.
tag	Supported values are issue, issuewild, and iodef. issue: Authorizes a single CA to issue any type of domain name certificate for the domain. issuewild: Authorizes a single CA to issue wildcard certificates for hostnames under the domain. iodef: Allows a CA to send URLs for records of non-compliant issuance to a specified email address.
value	The domain name of a CA or an email address used for violation notifications.

Add a CAA record

Suppose you want to allow only symantec.com to issue certificates for the domain midengd.xyz and send violation reports to admin@midengd.xyz. Configure the CAA records as follows.

Log on to Alibaba Cloud DNS – Public authoritative DNS. Click Settings in the Actions column for the target domain.
Add the following two DNS records.

Host record

Record value

@

0 issue "symantec.example.com"

@

0 iodef "mailto:admin@midengd.xyz"

Check CAA records

Use the dig domain-name record-type command to query CAA records. The following example shows the command and its output.

sh-3.2# dig midengd.xyz caa

; <<>> DiG 9.10.5rc1 <<>> midengd.xyz caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26714
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;midengd.xyz. IN CAA

;; ANSWER SECTION:
midengd.xyz. 600 IN CAA 0 iodef "mailto:admin@midengd.xyz"
midengd.xyz. 600 IN CAA 0 issue "symantec.com"

;; Query time: 577 msec
;; SERVER: 30.26.X.X#53(30.26.X.X)
;; WHEN: Tue Dec 05 18:55:48 CST 2017
;; MSG SIZE rcvd: 114

Since April 2017, all CAs must check CAA records before issuing SSL certificates. Major DNS providers outside China—including Amazon Route 53, Dyn, and Cloudflare—support CAA records. Support in China remains limited.

As awareness of network security grows, CAA records will become a security baseline requirement for finance, e-government, and public services. More DNS providers will support CAA records. Widespread adoption is only a matter of time.

Host record	Record value
@	0 issue "symantec.example.com"
@	0 iodef "mailto:admin@midengd.xyz"