As of September 2017, you now have an additional way to protect the security of your website. You can create a Certificate Authority Authorization (CAA) Domain Name System (DNS) record to identify who can issue SSL certificates for a domain. Once set up, systems can verify that the certificate provider specified in the CAA DNS record matches the source of the certificate for a site. The CAA DNS record type seeks to constrain the ability of an evildoer to issue an unauthorized certificate for a domain.
Before you add a CAA record, you should configure a Certificate Authority– part of the process used to create an HTTPS connection– for your domain. Not sure if you have this configured? If you do, you’ll see a lock next to the URL of your site when you visit it. For example, in Chrome the lock turns green when an HTTPS connection occurs. (For more details, see “5 best practices for switching your site to HTTPS for improved security.” To add a certificate, check with your hosting provider. Many will let you add a free certificate from Let’s Encrypt.)
Next, you’ll need to be able to create a CAA DNS record. Most DNS software, such as BIND and Windows Server 2016, already supports CAA records. Some providers, such as Digital Ocean, Gandi, and Linode, support CAA record types.
Google Domains lets you add a CAA record. Here’s how.
1. Identify your certificate provider
First, obtain the official domain name used by your certificate authority. For example, since I use Let’s Encrypt, the domain is letsencrypt.org. (See more about CAA at Let’s Encrypt: https://letsencrypt.org//docs/caa/.)
2. Choose the domain to check
The most common and simplest setup is a CAA that validates your main domain, e.g., example.com. But you can create a CAA record for a sub-domain, such as securesite.example.com.
SSLMate provides a tool, CAA Record Helper (see https://sslmate.com/caa/), which helps you create a CAA entry. It can help you identify and modify an existing CAA record, or auto-generate the values needed to create a new CAA record. For example, if I want to protect TechRepublic.com, I can enter that in the domain name field, then select “Auto-Generate Policy.” The tool detects my certificate provider and generates sample policy values.
3. Add the record
Next, login to your domain name manager to add the CAA record. If you use Google Domains, login to your account at https://domains.google.com, choose your domain, then select the edit DNS record option. Take the information from the policy created previously, and enter it in the corresponding fields. In my case, I entered: wolberworks.com. in the domain field, chose CAA for record type from the drop-down menu, then 0 issue “letsencrypt.org” and selected “Add” to save the record. Then, I waited for the record to update across the domain name system.
4. Check your work
To verify that the new CAA record is valid, you can run a test with another tool: https://ssllabs.com/ssltest/. Enter the domain name for which you created the CAA record in the “Hostname” field. Optionally, check the “Do not show the results on the board” to keep your test results private. Then submit the domain to run a series of tests.
The results display a variety of information about your domain. Look for the phrase “DNS Certification Authority Authorization (CAA) Policy found for this domain.” Further down in the results, you should see your certificate provider listed in the DNS CAA details.
As with most security measures, problems may still arise. A security failure at either your certificate provider or your domain name registrar could produce problems. And a sophisticated attacker might still be able to serve false DNS data designed to deceive.
Think of a CAA record as a way to apply an additional layer of protection to your organization’s online presence. If you’ve taken the time to obtain a certificate for your site, take the time to create a CAA record, too.
Have you created a CAA record for your site? How did your configuration go? If not, why? Let me know in the comments, or on Twitter (@awolber).