There is a New DNS Sheriff in Town

One of the things that we see from time to time is SSL/TLS certificates issued by less than reputable – or simply don’t care – certificate authorities for domains that the certificate requester does not own.

The Internet Engineering Task Force, the body that oversees the technical operation of the Internet, has released a new capability.  By this fall, all certificate authorities – the organizations that issue SSL certificates will be REQUIRED TO recognize a new DNS record type.

This is in the early stages, so there are are still kinks to be worked out, but businesses should start using these new features as soon as they can.

The new feature is called DNS Certification Authority Authorization (CAA) and support for it by SSL certificate issuers becomes mandatory in September 2017.

There are two parts to it – one part that you need to take care of and one the certificate authority has to deal with.

The DNS CAA record specifies WHO is allowed to issue an SSL/TLS certificate on your behalf.  If you say that, for example, only Digicert can issue a certificate for a domain that you own, then, according to the rules, if anyone, including you, asks a different certificate authority to issue a certificate, they are supposed to deny the request.  There is an option in the CAA record to notify you if a certificate is issued  for that domain as well as a number of flag bytes and other parameters.

In order for this to work, YOU have to add a CAA record to your DNS entry.  This is the part that is more dicey.  For example, tonight, I reached out to one of my ISPs and asked them how I create a CAA record and they told me that I could not.  I *suspect* that by September, when this becomes mandatory, most ISPs will support it, but you will have to check.

For those businesses that operate their own DNS server software, they will likely have to upgrade versions to support this new capability.  Bind, the granddaddy of all DNS servers, supports CAA records starting with version 9.9.6.

For those of us who don’t run our own DNS servers, we will need to bug our ISPs until they support the capability.

Even if you don’t use SSL/TLS today, you should still add a CAA record because you don’t want anyone to get an SSL certificate in your name and masquerade as you.

While there is no such thing as a silver bullet when it comes to security, this is a useful addition.

Information for this post came from Wikipedia.

Leave a Reply

Your email address will not be published.