2022-10-23
Why I feel DNS CAA records are a real TLS security improvement in practice
I've known about DNS Certification Authorization (CAA) records for a while, but I've generally considered them mostly an interesting curiosity instead of something that people should generally care about. If you knew that you only got TLS certificates from Let's Encrypt (for example), you could set a CAA record on your domain to this and get what I thought of as 'a bit of extra security'. But yesterday, when writing about how Certificate Transparency is about improving the TLS ecology, I had a sudden realization of why you should care about CAA records and consider them.
The fundamental Certificate Authority problem is that any CA in the world can issue valid TLS certificates for your domain, regardless of how good or bad their practices are. These days all CAs at least claim to be careful and there is some assurance that they are, but their actual operational practices vary and a specific CA may be vulnerable to issues like BGP based attacks (also).
What having a CAA record does is you can confine TLS certificate issuance to CAs whose processes you actually trust. You don't have to trust that some random CA reseller with an intermediate TLS certificate will properly do multi-network domain validation and not be fooled by anything short of epic BGP route hijacking, for one non-hypothetical example. You can restrict what CAs can ruin your life down to ones that you use and ones that you believe have good, thorough processes (for example, Let's Encrypt, which apparently takes significant care to avoid being fooled by issues like this).
(My feeling is that this is especially useful for smaller organizations that don't necessarily have the pull to get prompt action from the TLS ecology. Of course, smaller organizations are probably less likely to be targeted this way in the first place.)
In the old days of TLS, CAA records would probably have been less useful in practice than they are now. This is because Certificate Transparency has forced CAs to clean up their acts. Today, anyone can monitor CT logs and cross-verify the CA issuing a TLS certificate against the domain's CAA record. That anyone can do this means that a CA not getting CAA handling right is potentially much more visible, so CAs are pushed to get it right. In the old days, you could have mandated that CAs respect CAA records but the practical odds would be that they'd have process problems, and you probably wouldn't have caught them before an incident.
(What CT logs do is give you visibility into cases where one part of an organization sets a CAA record and another part goes out to get a TLS certificate from someone not in the CAA record. That request should fail, but if CA processes are imperfect, it would succeed and probably not get noticed without CT logs.)