What is Misconfigured DNS Missing Certification Authority Authorization (CAA) Record Vulnerability?

The Certification Authority Authorization (CAA) method is a DNS-based technique that allows domain managers to select which certificate authority can issue SSL certificates for their domain names. CAA was standardized in 2013, but had little influence until now because CAs were not required to obey it. That is no longer true.

The CA/Browser Forum, an association comprised of key browser vendors and certificate authorities, decided earlier this year to require CAA validation as part of the certificate issue process. The CA/Browser Forum maintains the “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates,” an industry-accepted set of criteria that must be followed by all CAs.

DNS software and service providers have introduced support for this record type, however domain owners should verify with their hosting company to see if it is possible to add it.

Three characteristics are supported by the CAA DNS record: issue, issuewild, and iodef. The “issue” and “issuewild” parameters allow you to select one or more certificate authority who can issue certificates or wildcard certificates for the parent domain. CAs with the “issue” attribute can issue all sorts of certificates, whereas those with the “issuewild” property can only issue wildcard certificates.

The “iodef” attribute is used for reporting and may be quite useful. Users can set an email address or hostname to which CAs must send reports if they receive requests to issue certificates but the domain’s CAA policy does not approve them. This allows domain owners to learn if someone is attempting to get certificates for their domain names fraudulently.

Of course, there will be no notification if hackers get a certificate from a CA authorized by the domain owner. Furthermore, if hackers obtain access to a CA, they may be able to completely circumvent CAA checks depending on the type of access gained. So, CAA’s iodef reporting isn’t a panacea, but it’s better than nothing.

CAA policies may also be configured for each subdomain. For example, a CA will first verify the CAA policy for the subdomain and then for example.com for subdomain.example.com. If a CAA record exists for subdomain.example.com, it takes priority over the example.com record.

This is beneficial for huge corporations that have several websites and services under the same domain name. These websites may be managed by separate teams or even external partners, such as marketing or public relations firms, each of which may have a preferred SSL certificate vendor.

“Be careful when creating CAA records,” CA service provider GlobalSign warned in a blog post last month: “If you have other departments getting certificates, you must collaborate to ensure that all CAs in use are added to your CAA records.” Because CAA validation is required and results in rejected orders that a CA cannot override, it is critical that the DNS administrator does not bring the organization down!”

ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.

Leave a Comment

Scroll to Top