Skip to main content
  1. Today I Learned/

TIL: The Existence of the DNS Certification Authority Authorization Field

·3 mins
Ixonae
Today I learned Networking System Administration
Ixonae
Author
Ixonae
Table of Contents

While migrating my blog to use S3 and CloudFormation, I needed to generate a new certificate using the AWS Certificate Manager. However, even after creating the correct DNS records and waiting for them to propagate, AWS was not accepting my generation request without providing any reason.

After spending a lot of time trying to understand what was happening, I discovered that the validation was failing because I had not allowed Amazon’s Certificate Authority to issue an SSL certificate for my domain name, which should have been done by adding a CAA (Certification Authority Authorisation) DNS record.

What is the CAA Field Used For?
#

CAA DNS entries allow specifying which Certificate Authorities are allowed to generate certificates for a given domain. It aims to help preventing certificates mis-issues.

CAA Configuration
#

Let’s look at a basic example. The following is an extract of the output from the command dig CAA ixonae.com

ixonae.com.             16      IN      CAA     0 issuewild "letsencrypt.org"
ixonae.com.             16      IN      CAA     0 iodef "mailto:[redacted to prevent crawling]@ixonae.com"
ixonae.com.             16      IN      CAA     0 issue "amazon.com"
ixonae.com.             16      IN      CAA     0 issue "letsencrypt.org"

The response says that both Amazon and Let’s Encrypt can generate certificates for the domain ixonae.com. and its subdomains, but only Let’s Encrypt can generate wildcard certificates. In the event that a Certificate Authority receives an invalid request to generate a certificate, it should send a message to the specified email address. The 0 value is a flag (issue, issuewild and iodef are tags) telling CAs that they shouldn’t mind if they don’t understand a CAA entry, and just try to read the next one.

Flags
#

There are two possible flag values:

  • 0 (uncritical) is the default. If a CA doesn’t understand an entry, it can simply ignore it
  • 1 (critical) tells the CA that it cannot proceed with issuing the certificate if it doesn’t understand the property, and it must notify the owner of the failure (using the iodef provided values)

CAA Scope
#

In our example, all entries have been defined for ixonae.com, but we can also define entries for specific domains such as www.ixonae.com or test.www.ixonae.com.

The rules priority will be from the most to the less specific. i.e. if we want to generate a certificate for test.subdomain.domain.com, CAs will first try to see if any rules exist for test.subdomain.domain.com. If not, they will check if there are any for subdomain.domain.com and then finally for domain.com.

Another thing to note is that if you have only issue entries, then listed CAs are also allowed to issue wildcard certificates. However, if you have issuewild entries, then only entries with that flag can generate wildcard certificates.

A final interesting property is that if you only create an entry with the CA being ";", then no one is allowed to generate a certificate for the specified domain (if there are no CAA entries, then everyone is).


References
#

Credits
#

  • Cover Photo by Scott Rodgerson Unsplash