Tag: CAA

Certificate Authority Authorization (CAA) cometh

Certificate Authority Authorization (CAA) cometh

DNS Certification Authority Authorization (CAA) Resource Record are defined in RFC6844 since January 2013. The goal of the CAA record is to give the ability to a CA to check if the CA may issue a CA certificate.

Abstract from RFC6844

The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain. CAA Resource Records allow a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue.

On March 8 the CA Browser forum voted in favor of the rule that CAA RR records are mandatory for certificate authorities, effective from September 2017 all certificate authorities must implement CAA record checking.  Until  September 2017 checking and using CAA records where optional.

Ballot 187 – Make CAA Checking Mandatory

This option gives domain owners more security.  If a domain owner fails to put in CAA records any CA can issue a certificate for the domain. This is a bad thing.  Not adding a CAA record is a bad idea and not taking security responsibility.

Dns Spy logo

Checking if your domain has CAA records can easily done by using dnsspy. Check google.com to see the support for the Google and Symantec CA’s.

0 issue “pki.goog”
0 issue “symantec.com”

Browser suppliers can use CAA to check the website certificate to verify the authenticity. Google planned to require Certificate transparency starting in October 2017 but has moved the compliance date to April 2018.

We’ve been making excellent progress towards our goal of robust Certificate Transparency deployment for all publicly trusted certificates — and we also have new opportunities to improve Certificate Transparency and Chrome to better serve the Internet ecosystem. I’m pleased to announce that we’ll be moving forward with our plan to require Certificate Transparency for all newly issued, publicly trusted certificates starting in April 2018.

Go ahead make the Internet a safer place and add CAA records to your DNS servers.