Prevent domain name certificate hijacking by using CAA records

To improve website security, you can add a Certification Authority Authorization (CAA) record for the domain name of your website. This topic describes the background of the CAA standards and how to use Alibaba Cloud Domain Name System (DNS) to configure and check CAA records.

Background information

According to authoritative statistics, hundreds of certificate authorities (CAs) around the world are authorized to issue HTTPS certificates for authenticating website identities. However, for some reason, CAs are often blacklisted by browsers which announce that they will no longer trust the HTTPS certificates issued by these CAs. Therefore, if you visit a website that is authenticated by one of these certificates, some browsers such as Google Chrome and Firefox display a message indicating that the website is missing a trusted HTTPS certificate, and the HTTPS URL in the browsers address bar is also marked with a red line. As a result, the website is inaccessible.

CAA, approved by the Internet Engineering Task Force (IETF) in January 2013, is a security measure to ensure that HTTPS certificates are issued by authorized CAs. It complies with IETF Request for Comments (RFC) 6844 standards. In March 2017, the CA/Browser Forum voted to pass Ballot 187, which requires CAs to check CAA records before they issue certificates from September 8, 2017.

CAA standards allow website owners to authorize specified CAs to issue HTTPS certificates for the domain names of their websites. Alibaba Cloud DNS takes the lead in supporting CAA records.

CAA record format

A CAA record is in the format of: [flag] [tag] [value]. A CAA record consists of a flag ([flag]) and a tag-value pair ([tag] [value]) that is referred to as a property. You can create multiple CAA records for a domain name.

Add CAA records

If you want to allow only symantec.com to issue certificates for the domain name midengd.xyz and send notifications of invalid certificate requests to the email address admin@midengd.xyz, you can perform the following steps to configure the CAA records:

1. Log on to the Alibaba Cloud DNS console.

2. On the Domain Name Resolution page, click DNS Settings in the Actions column of the domain name for which you want to add the CAA records.

3. Add two DNS records. The following table lists the configurations of the DNS records.

   Hostname	Record Value

   Hostname	Record Value
   @	0 issue "symantec.com"
   @	0 iodef "mailto:admin@midengd.xyz"

   

Check CAA records

You can run the dig domain name record type command to check whether the CAA records take effect. The following section provides the test command and the returned results.

sh-3.2# dig midengd.xyz caa

; <<>> DiG 9.10.5rc1 <<>> midengd.xyz caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26714
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;midengd.xyz. IN CAA

;; ANSWER SECTION:
midengd.xyz. 600 IN CAA 0 iodef "mailto:admin@midengd.xyz"
midengd.xyz. 600 IN CAA 0 issue "symantec.com"

;; Query time: 577 msec
;; SERVER: 30.26.8.5#53(30.26.8.5)
;; WHEN: Tue Dec 05 18:55:48 CST 2017
;; MSG SIZE rcvd: 114

Starting from April 2017, all CAs must check CAA records for the domain names of websites before they issue Secure Sockets Layer (SSL) certificates. Major DNS services outside the Chinese mainland such as Amazon Route 53, Dyn Managed DNS, and Cloudflare DNS all support CAA records. However, in the Chinese mainland, only a few DNS service providers support CAA records.

As the entire society is concerned more about network security, CAA records will become a basic requirement for enhancing network security for industries including the financial industry, e-governance, and public services. More and more DNS service providers will support CAA records in the future.