Tuesday, April 12, 2016

DNS CAA records for certifications

SSL/TLS  certifications can be crafted for any sites by using any of the  400+ Public Certificate Authorities and thousands upon thousands private CAs.

Not all CA are trusted by a browser btw which is another topic in a centralize authority schema which is a good and bad thing that need a separate thread to understand "truststore".

Since a domain and site could be deployed anywhere, any time,  and by anyone, the chance of a successful hijack could take place if one could steer  or hijack a dnsserver or  redir a client DNS response by the modification of the DNS payload.

Take this approach,

1> a  blackhat hijacker crafts a site name  "www.ebay.com" and installs a frontend server(s) for collecting   accounts and logins,  or just  to distribute  malware.

2> He uses a valid CA and has a valid  certificate signed.

3> He inject a response to a client  browser  for a DNS query that says "go to  my fake www.ebay.com  address"

Now at this point, the browser see the certificate as valid, and the user  now is at the mercy of the fake www.ebay.com and whatever  the hijackers are trying todo ( delivery  of a malware/trojans, account /password spear fish, or other targeted theft of information ,etc....)

I call this the same  thing as  bait and switch with a decoy while hunting doves or turkey. If it looks real,  it would draw in the prey with no scrutiny  ;)"

So what keeps someone from  registering a SSL certificate against your domainnames?  This type of hijack has been feasible  & can not be 100% controlled,  but we can do some things along with DNSSEC  to reduce this risk.

Read one of my previous  post about  DNSSEC http://socpuppet.blogspot.com/2013/12/dnssec-godaddy-style.html

The  DNS RR type CAA ( type257 ) does mitigate some of this threat , but it's not 100%  Guaranteed.

How this  ResourceRecord works, is that you  will craft a  DNS  CAA record type listing your  preferred CA(s)  that  your domain trusts & uses for issuance of certificates. This record is used by some  CAs for pre-validation of a preferred CA(s) for domainname  b4 creating a certificate for that domain.


letsencrypt does  this for any certificate that it creates

Tip: To query for a  type257 ( CAA dns record type ) you can use  dig or host


So goog has set  specific instructions for other CAs for the "domain google.com".

How much protection you gain from a CAA is hit/miss since it's used only from a CA function & standpoint. Very few organizations ( CA)   uses or check for  CAA records types. If more domains  would deploy CAA RRs & more  CA conduct lookups, it would be helpful in ensuring a rogue or hijacked site is not being deployed.

Each CA has it's own strategy on CAA validations. You can see  Google stance by reading their pki policy page


NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
        /  \


  1. DreamHost is ultimately the best website hosting company with plans for any hosting requirments.

  2. I've been using AVG anti-virus for a couple of years now, I'd recommend this product to you all.