Articles in Root

Certification Authority Authorisation (CAA)

Problem

What are CAA records?

Solution

Certification Authority Authorisation (CAA) records allow a DNS domain name holder to specify one or more Certification Authorities (CAs) authorised to issue certificates for that domain (see RFC 6844)

  • CAA records are intended to prevent CAs from improperly issuing certificates.

  • CAA records can set policy for the entire domain, or for specific hostnames.

  • CAA records are inherited by subdomains.  For example, a CAA record set on example.com will also apply to test.example.com (and any other subdomain, unless specifically overridden).

  • CAA records can control the issuance of single-name/SAN certificates, wildcard certificates, or both.

  • CAA records may be set to authorise multiple CAs if the 0 flag is set.

According to section 3.2.2.8 of the CA/Browser Forum Baseline Requirements for TLS/SSL certificates, CAs must implement CAA checking before September 8, 2017.

Do I have to Implement CAA Records

There is no requirement for domain owners to implement CAA records in order to receive SSL/TLS certificates from CAs. If no CAA record is set for your domain or subdomain, then any CA can issue you an SSL/TLS certificate – as long as there are no DNS or CAA errors (more on this below).

If you wish to restrict which CAs are allowed to issue certificates to your domain or subdomain as added security, then you may want to take advantage of CAA records; providing that your DNS provider can support them.

CAA Record Location

You can set CAA records on your primary domain or any subdomain within the primary domain. In a QuoVadis example, we could set a CAA record for quovadisglobal.com or for the subdomain (or zone) caa.quovadisglobal.com.  When Certificate Authorities check for the CAA records, they will check the top most subdomain first and work their way down recursively until a CAA record is found or no CAA record exists.  Setting a CAA record at the top most domain name (in our example, quovadisglobal.com) will cover all subdomains within this domain – as long as a CAA record is not set higher up on the subdomain chain that could supersede this.

Configuration for QuoVadis

To set CAA records for QuoVadis in your Standard BIND Zone File:

example.com. CAA 0 issue "quovadisglobal.com"
example.com. CAA 0 issuewild "quovadisglobal.com"
example.com. CAA 0 iodef "mailto:cert-admin@example.com"

Note: Legacy BIND and other generic DNS may require a different syntax.

Background

When you are configuring CAA records you will need to present the record values in the following format:

<flags> <tag> <value>
example.com. CAA 0 issue “quovadisglobal.com”

Flag

There is currently only one flag defined: “issuer critical” with a value of 1. If a CA does not understand the flag value for an issuer critical record, then the CA will reject the certificate issuance.  The issuer critical value of 0 means “not critical”.

Type (Tag)

Type allows you to choose how you want certificates to be issued by the CA. Each CAA record can contain only one tag-value pair.

  • issue: Explicitly authorises a single CA to issue a certificate (any type) for the domain name.
  • issuewild: Authorises to issue certificates that specify a wildcard domain. Important: issuewild properties take precedence over issue properties when specified.
  • iodef: Incident Description Exchange Format specifies a means of reporting certificate issue requests or cases of certificate issue for the corresponding domain that violate the security policy of the issuer or the domain name holder.

Time to Live (TTL)

Time to Live is measured in seconds and is the amount of time the record will cache in resolving name servers and web browsers.  TTL also determines the duration of time a CA is allowed to cache a CAA check.

CAA Errors

CAA records are checked before certificate issuance so if an error appears during the check, we will not be able to tell definitively if a CAA exists or not. There are cases where the CAA error may be due to configuration of your DNS server, DNS provider, or security policies. When this happens, we will not be able to issue certificates until these issues are resolved. Below are some of the errors that you may encounter.

While some DNS providers do not support CAA, they still need to provide a NOERROR response for unknown query types, including CAA. If any other opcodes are returned, then CAA checking may return a SERVFAIL. If this is the case, you should contact your DNS provider.

CNAME Loops and Issues

A CNAME (or Canonical Name) is a type of DNS record that can be set on a domain or subdomain. This type of record is used to specify that a domain name is an alias for another domain name. There are times when due to the configuration of multiple CNAME records, domains and subdomains could loop back to each other which would cause CAA checking failure. Here is a simple example:

  • cname.quovadisglobal.com has a CNAME of cname.chromessl.com
  • cname.chromessl.com has a CNAME of cname.quovadisglobal.com
  • The CAA record is set at quovadisglobal.com

As trying to resolve cname.quovadisglobal.com would point to cname.chromessl.com and vice-versa, the CAA record at quovadisglobal.com would never be reached and therefore would cause an error. This is known as a CNAME loop. The above is a simple example of this. CNAME loops can happen between several domains.

There are other times when CNAME records can point to other domains where a CAA record is set, but this record does not allow QuoVadis to issue certificates. When this happens, you will need to contact the owner of the endpoint domain to add QuoVadis as an allowed CA to their CAA record. If this is not possible, then we will not be able to issue the certificate, even if you own the subdomain.

SERVFAIL

A common error that is encountered is the SERVFAIL error. A SERVFAIL can be received for many reasons. The most common reason is due to the failure of DNSSEC validation. If this appears to be the case, then you will need to debug your DNSSEC and figure out why a SERVFAIL is being presented. If you use a DNS provider, then you will need to contact them for assistance.

If DNSSEC is not enabled, then you should check to see if your authoritative namesever is returning a NOERROR response. Any other response is a violation of RFC 1035. An example of an incorrect response would be to receive a NOTIMP response.

SERVFAILs could also be caused by authoritative nameserver outages. You will need to check each of the NS records of your domain to ensure that the service is available.

Timeouts

Timeouts are another issue that can cause CAA errors and these usually happen when an authoritative nameserver does not respond with an answer at all. This can be caused by a networking issue such as a firewall blocking the DNS request or dropping unknown qtypes of a DNS query. You will need to check your infrastructure if the authoritative nameserver is hosted internally or contact your DNS provider if you host your DNS externally.