(MENAFNEditorial) CAA Certification Authority Authorization
As on September 8th 2017, it is now mandatory for the Certifying Authorities to verify the CAA record before issuing the SSL Certificate as directed by Certification Authority Authorization. The sole purpose is to tackle the menace of Fraudulent SSL Certificate generation. CAA standard has been defined inRFC6844
What is CAA?
Certification Authority Authorization(CAA) is an Industry Standard, which allows the Domain Owners to specify which Certifying Authorities (CA) is allowed to issue certificates for their domains. The intention of this is to allow the CAs to avoid mis-issuing of certificates and is an added checking/verification process in their Certificate Issuing Procedures.
Before any certificate is issued, the CA would verify the CAA record to check for its own existence in it and would block any request in case they are not listed.
How to use CAA?
The Domain owner has to publish Certification Authority Authorization(CAA) records the Domain's DNS specifying the
List of CAs authorized to issue SSL certificates for that domain.
Policies for the entire domain or for specific hosts
Single-Name Certificates, Wildcard Certificates or both can also be mentioned.
Why use CAA?
There have been numerous instances in the past wherein, Certifying Authorities were hacked and fraudulent certificates were issued. Furthermore, in our previous blog-posts too we had raised concerns about the lack of verification and decentralized structure of the CAs which allowed any CA to blatantly issue SSL Certificates on behalf of any domain. Due to this issue, it was of utmost importance to provide a control and verification method of the domain owners to provide and share information with the CAs so that CAs themselves are aware whether or not they are allowed to issue the certificate or not.
It is now the prerogative of the Domain Owners to provide CAA information in case they are using Certificate and it would be the responsibility of the CAs to validate each and every request.
List of DNS Servers Implementing CAA
Although, Certification Authority Authorization(CAA) is fairly new Standard hence, there are very few DNS Servers which provide support for the addition of CAA records.
BIND Yes Prior to version 9.9.6 useRFC 3597 syntax
Knot DNS ≥2.2.0
ldns ≥1.6.17
NSD Yes Prior to version 4.0.1 useRFC 3597 syntax
OpenDNSSEC Yes With ldns ≥1.6.17
PowerDNS ≥4.0.0 Versions 4.0.3 and below arebuggy when DNSSEC is enabled.
Simple DNS Plus ≥6.0
tinydns Yes Use generic record syntax
Windows Server 2016 Yes UseRFC 3597 syntax
Domain Owners may check with their respective Domain Registration Service Providers whether they provide the addition of CAA records in their DNS Configuration Panel.
In order to create CAA Record, domain owners may visithttps://sslmate.com/caa/
How to Verify CAA?
The two of the most popular tools used for looking up DNS records are 'dig and 'nslookup, and both these tools use the 'type257 as the query parameter for the CAA.
$ dig google.com type257 ;; ANSWER SECTION: google.com. 86399 IN TYPE257 \# 19 0005697373756573796D616E7465632E636F6D google.com. 86399 IN TYPE257 \# 15 00056973737565706B692E676F6F67 c:\> nslookup > set q=type257 > google.com Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: google.com rdata_257 = \# 19 0005697373756573796D616E7465632E636F6D google.com rdata_257 = \# 15 00056973737565706B692E676F6F67
However, these tools are yet to implement CAA record lookup, hence with these tools, you may summarize that there exists a CAA record.
One may visitour domain tools sectionto lookup for CAA records
Eg: google.com
;; ANSWER SECTION: google.com. 86399 IN CAA 0 issue "pki.goog"
A complicated CAA Record by hboeck.de
;; ANSWER SECTION: hboeck.de. 3599 IN CAA 0 issue "letsencrypt.org" hboeck.de. 3599 IN CAA 0 issuewild ";" hboeck.de. 3599 IN CAA 0 iodef "https://int21.de/caa/" hboeck.de. 3599 IN CAA 0 iodef "mailto: This email address is being protected from spambots. You need JavaScript enabled to view it. "
Threat Attack Scenarios
With the implementation of CAA, the footprint of the attack surface reduces and shifts towards the addition of CAA records by the Domain Owners
Non-Compliance of adding CAA Records in the DNS by Domain Owners
Compromised DNS Panel of the Domain Owner
About eScan:
eScan is an ISO (27001) certified pure-play enterprise security solution company with over 2 decades of expertise in developing IT security solutions. eScan today has a presence in 12 countries through its offices and subsidiaries. It also boasts of a robust channel partner network of more than 50, 000 partners spread across 190 countries worldwide. It is trusted by more than 6,500 enterprise and corporate users spread across various industry segments such as Government, BFSI, Education, Defense, Telecom, IT & ITeS, Infrastructure, Hospitality, and Healthcare worldwide.
It is powered by some of the latest and innovative technologies, such as Proactive Behavioral Analysis Engine (PBAE) Technology, MicroWorld Winsock Layer (MWL) Technology, Domain & IP Reputation Check (DIRC) Technology, Non-Intrusive Learning Pattern (NILP) Technology, and sophisticated Anti-Virus Heuristic Algorithms that not only provide protection from current threats, but also provides proactive protection against the ever-evolving cyber threats. eScan provides 24x7 free remote support facility to help its esteemed users to provide real-time solutions for security-related issues.
For more information, visit -https://www.escanav.com/en/index.asp
MENAFN2209201700703077ID1095891837
Legal Disclaimer:
MENAFN provides the information “as is” without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the provider above.