Prevent unauthorised website certificates for your domains

sites

The big push, over the last few years, to move websites to use Transport Level Security (TLS) Certificates has been incredibly successful, in no small part to Let’s Encrypt. As always the arms race between attackers and defenders continues and with the increased adoption of TLS comes a number of attackers looking for less diligent Certificate Authorities who will issue a certificate for sites attackers may not actually own. Luckily for the rest of this post there’s a way to prevent this from happening, the Certificate Authority Authorization (CAA) DNS record.

Few domain names need to have certificates issued by more than one Certificate Authority so we can reduce the avenues of attacks by telling all Authorities which ones we use and allowing them to reject requests from any not on our allowed list. To implement this for your own domain you add a CAA record in DNS for the specific domain. If a certificate authority is asked to issue a certificate, it is required to query DNS for the domains CAA record and if the Authority is not in the allowed list, deny the request. I only use Let’s Encrypt so this seemed like a nice addition to my domain security so I decided to implement it on a few domains.

Adding the CAA records was much easier than I expected. I’d assumed I’d need to read through the DNS Certification Authority Authorization (CAA) Resource Record RFC and write the records by hand but SSLMate provides the excellent CAA Record Helper that helped me easily create the records I needed. The records look like these:

## Only Let's Encrypt may issue certs for puppetcookbook.com
puppetcookbook.com. 10800 IN CAA 0 issue "letsencrypt.org"

## If any other CA is asked to issue a cert, deny the 
## request and send a notification to the given email address
puppetcookbook.com. 10800 IN CAA 0 iodef "mailto:caa-violation@unixdaemon.net"

Looking at the right most fields, issue is which authorities may issue certs for this domain and iodef tells them where to send violation notifications. After logging into Gandi to update one of my domains I discovered their own tooling makes it even easier to add so if you’re considering adding CAA records you should consult SSLMates Support List and your providers web interface.

A webform to add a CAA record to a domain

As a nearly exclusive user of Let’s Encrypt certs on my domains adding the records to shut down another avenue of attack was well worth the effort. The tooling has progressed since I last investigated and providers native interfaces are much better than I expected.