Setting up CAA records for your domain is an effective method to improve website security. This topic describes the background of the CAA standard and how to configure and verify CAA records using Cloud DNS.
Background
Approximately hundreds of certificate authorities (CAs) worldwide are authorized to issue HTTPS certificates to verify website identity. However, certificate authorities are often blacklisted by browsers for various reasons and publicly announced that their issued HTTPS certificates will no longer be trusted. Therefore, when you access websites that deploy these certificates, browsers such as Google Chrome and Firefox will display "HTTPS certificate is not trusted," and the HTTPS in the browser address bar will be marked with a red line, making the webpage inaccessible.
Certification Authority Authorization (CAA) is a security measure to prevent incorrect issuance of HTTPS certificates. It was approved by the Internet Engineering Task Force (IETF) in January 2013 and listed as RFC6844. In March 2017, the CA/Browser Forum passed Ballot 187, requiring CA organizations to perform mandatory CAA checks starting from September 8, 2017.
The CAA standard allows website owners to authorize only specified CA organizations to issue certificates for their domains, preventing incorrect issuance of HTTPS certificates. Currently, Alibaba Cloud DNS has taken the lead in supporting the CAA record type.
CAA record format
The format of a CAA record is: [flag] [tag] [value], which consists of a flag byte [flag] and a [tag]-[value] (tag-value) pair called an attribute. You can add multiple CAA fields to the DNS records of your domain.
Field | Description |
flag | An unsigned integer between 0 and 255, used to mark the authentication authority. In most cases, it is set to 0, indicating that if the certificate issuing authority cannot detect this information, it will be ignored. |
tag | Supports issue, issuewild, and iodef.
|
value | The domain name of the CA or the email address for violation notifications. |
Add CAA records
Suppose you want to allow only symantec.com to issue certificates for the domain midengd.xyz, and send violation notifications to the email address admin@midengd.xyz. You can configure CAA records as follows.
Log on to Alibaba Cloud - Public Zone, click Settings under Actions in the row of the target domain.
Add the following two DNS records.
Host
Record value
@
0 issue "symantec.example.com"
@
0 iodef "mailto:admin@midengd.xyz"
Verify CAA records
You can use the dig domain record_type command to query CAA record resolution. The test sample and return result are shown as follows.
sh-3.2# dig midengd.xyz caa
; <<>> DiG 9.10.5rc1 <<>> midengd.xyz caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26714
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;midengd.xyz. IN CAA
;; ANSWER SECTION:
midengd.xyz. 600 IN CAA 0 iodef "mailto:admin@midengd.xyz"
midengd.xyz. 600 IN CAA 0 issue "symantec.com"
;; Query time: 577 msec
;; SERVER: 30.26.X.X#53(30.26.X.X)
;; WHEN: Tue Dec 05 18:55:48 CST 2017
;; MSG SIZE rcvd: 114Since April 2017, all CA organizations must perform CAA detection on the domain names of certificate issuance objects before issuing SSL certificates. Currently, overseas DNS service providers such as Route53, dyn, and Cloudflare already support CAA records, but the adoption rate in China is still not high enough.
As overall social awareness of network security improves, CAA records, as one of the measures to enhance website security, will become a network security baseline requirement for industries such as financial institutions, e-government, and public services. More DNS service providers will support CAA records, and the widespread adoption of CAA is just a matter of time.