A missing SSL CAA record can create a potential vulnerability risk, as it would allow all certificate authorities (CAs) to issue SSL/TLS certificates for a certain domain. This happens in case the domain’s DNS zone does not specify any Certification Authority Authorization (CAA) record.
The security threat in these situations is related to the possible use of a fraudulent certificate by malevolent actors to access your systems. Decreasing the risk entails appending the CAA settings to the DNS records. Unfortunately, when a CAA record is missing, it also gives way to unintended certificate mis-issue problems.
Let’s get an overview of a CAA record, its purpose, and how to handle missing SSL CAA records.
Missing SSL CAA Record Security Assessment
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
What Is a CAA Record?
CAA record stands for Certificate Authority Authorization record. It can also be referred to as DNS CAA record, CAA DNS record, CAA certificate, and DNS CAA, among others.
The CAA record is a specific record that sets the Certification Authority (or Certification Authorities, if multiple) that can issue Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificates for an entire domain or a subdomain. It’s one of the numerous aspects that make SSL a secure encryption protocol widely used across the internet today.
When the CAA record is defined, no other CA can issue certificates. It is thus among the effective methods of domain control.
A CAA record would usually have the following data fields:
- flags
- tag — issue or issuewild
- value
When a CAA record is set, CAs must make additional checks for any CAA presets before issuing a certificate. In addition, they must cancel the certificate issuance process if there is a CAA record for another CA. In case there is no record, any CA can issue a certificate.
Prevention Guide
Learn how to detect and prevent different kinds of SSL/TLS vulnerabilities.
What Do CAA Records mean?
CAA records limit the Certification Authorities (certification bodies) that can provide certificates for a domain. They can help you quickly spot a security policy violation related to your SSL CA rules.
This is a security measure with which you, as domain owner, can control the possibilities for rogue certificates to be put in action on your domain. You can also use it to require additional record checking from the CA to minimize the chance of certificate mis-issuances and revocation issues, as directed by your company policies, for example. By setting a CAA record, you can define a preference for CAs deemed more trustworthy or secure.
Determining a CAA record is also a way to define whether a specific CA you work with can issue wildcard or non-wildcard certificates for your DNS.
SSL CAA Record Examples
CAA records have different formats because they can be added to different DNS files. For example, IETF RFC 6844 sets the format for standard BIND files, while IETF RFC 3597 sets the resource records (RRs) format for legacy BIND files.
Below you can find some examples of SSL CAA records. In most cases, you don’t need advanced knowledge to set a CAA record, as the platforms usually provide an easy-to-use dashboard or control panel to add such records.
You can also check out the DNS Lookup tool to see how CAA records look in practice or another CAA lookup tool.
Cloudflare CAA Record
You can use Cloudflare’s easy tutorial to check and set your CAA record.
Adding a CAA record is seamless. First, you have to use the dashboard to go to the DNS menu and add a record, specifying the type, name, tag, and CA domain name.
Letsencrypt CAA Record
This Letsencrypt tutorial guides you on setting CAA records for your parent domain or any subdomain level.
How to Enable Missing SSL CAA Record
Specify the appropriate record in your DNS server to enable a missing CAA record. This is how you can quickly catch a CA issuance policy violation or breach of trust for your domain.
Different tools can help you generate the correct CAA record and overcome any certificate management challenge, such as the free CAA Record Generator tool.
If you don’t have direct access to your DNS server, you need to ask your DNS provider to set this entry. Creating the record can usually be done in their configuration interface.
example.org. CAA 0 issue "letsencrypt.org"dnsimple
With dnsimple, you can add the CAA record in the web interface. Then, use the Record editor and add your CA as the provider for your certificate. Here’s a tutorial on Managing CAA records from the dnsimple website.
To get a complete picture of your digital assets’ security, Crashtest Security has developed a Vulnerability Testing Software. Our powerful tool will help you stay on top of cybersecurity vulnerabilities across the board.
FAQs
What is a CAA record in SSL?
When using an SSL protocol, you need a trustworthy Certificate Authority (CA) provider to issue your certificates. The CAA, or Certificate Authority Authorization, the record allows you to control which CAs can do that for your domain. The CAA is a type of DNS record and is an additional layer of security in your SSL protocol encryption.
How do CAA records work?
CAA records define which Certificate Authorities (CAs) can issue certificates for a specific domain. Thus, they protect a rogue or unauthorized certificate by defining which CAs can be used.
How do I add a CAA record?
How you can add a CAA record in your DNS server varies, depending on the systems and tools you are using. In most cases, it entails manually adding the appropriate record. However, if you don’t have access to your DNS settings, you may need to request the change from your DNS provider.
