Every security technology needs a certain deployment base in order to be effective. With many other security measures already at our disposal restricting the set of Certificate Authorities that may issue a X.509 certificate for a given domain is just another step. The standard for doing so, is RFC 6844 specifying the DNS Certificate Authority Authorization (CAA) Resource Record. Specifying a special DNS RR it allows any complying CA to check, if the owner of the domain (actually: The one in control of the DNS) wishes any given CA to issue certificates for this domain.
Given the CAA DNS RR is quite new, the question arose, if there are any deployments yet.
Given that, unlike for IPv4, there is no easily searchable address space for domain names, the matter was a bit more complicated, than one might think at first. Also not having a comprehensive list of more than the Alexa Top 1M websites at hand, that ought to do as a rough approximation of the question.
Another approach tried was using the oldy-but-goody NSEC3Walker, with the quite ovious downside, that enumerating the zones to yield a list of domain names takes quite some time – and thus it only has been attempted for the .fail domain so far.
Which brings us to the first observation: The .fail domain, being one of the newGTLD, doesn’t really look like it was actively used for DNSSEC, thus for the domains that use DNSSEC (49 according to my scan) we get only 4 using CAA DNS RR: all of which are mine. While this percentage of about 8.2% might look promising, it is most likely incidental due to the small number of domains covered:
crypto.fail. 3600 IN TYPE257 \# 31 0005696F6465666D61696C746F3A62656E62653139383740676D782E 6E6574 crypto.fail. 3600 IN TYPE257 \# 49 000569737375656361636572742E6F72673B206163636F756E743D31 32323334323B20726F6F743D67312D636C61737333 crypto.fail. 3600 IN TYPE257 \# 53 0009697373756577696C646361636572742E6F72673B206163636F75 6E743D3132323334323B20726F6F743D67312D636C61737333 openpgp.fail. 3600 IN TYPE257 \# 31 0005696F6465666D61696C746F3A62656E62653139383740676D782E 6E6574 openpgp.fail. 3600 IN TYPE257 \# 49 000569737375656361636572742E6F72673B206163636F756E743D31 32323334323B20726F6F743D67312D636C61737333 openpgp.fail. 3600 IN TYPE257 \# 53 0009697373756577696C646361636572742E6F72673B206163636F75 6E743D3132323334323B20726F6F743D67312D636C61737333 security.fail. 3600 IN TYPE257 \# 31 0005696F6465666D61696C746F3A62656E62653139383740676D782E 6E6574 security.fail. 3600 IN TYPE257 \# 49 000569737375656361636572742E6F72673B206163636F756E743D31 32323334323B20726F6F743D67312D636C61737333 security.fail. 3600 IN TYPE257 \# 53 0009697373756577696C646361636572742E6F72673B206163636F75 6E743D3132323334323B20726F6F743D67312D636C61737333 x509.fail. 3600 IN TYPE257 \# 49 000569737375656361636572742E6F72673B206163636F756E743D31 32323334323B20726F6F743D67312D636C61737333 x509.fail. 3600 IN TYPE257 \# 31 0005696F6465666D61696C746F3A62656E62653139383740676D782E 6E6574 x509.fail. 3600 IN TYPE257 \# 53 0009697373756577696C646361636572742E6F72673B206163636F75 6E743D3132323334323B20726F6F743D67312D636C61737333
All 4 domains have DNSSEC, TLSA (DANE) and CAA records, with both TLSA and CAA designating CAcert as the CA to be used to issue certificates (incidentially the same CA this blog uses too).
Which brings us back to the initial attempt to query domains given a set of previously known domain names. Downloading and extracting the Alexa Top 1M is straight forward and asking for the actual records can be automated with just one line of bash:
cat top-1m.csv | cut -d, -f2 | parallel -j16 dig +nocmd +noadditional +noauthority +noquestion TYPE257 | grep --line-buffered -v \; | grep --line-buffered TYPE257 | tee top-1m.caa.txt
Looking at the results as they arrive we’ll find the following output:
google.com. 85980 IN TYPE257 \# 19 0005697373756573796D616E7465632E636F6D symantec.com. 1502 IN TYPE257 \# 19 0005697373756573796D616E7465632E636F6D opera.com. 3600 IN TYPE257 \# 34 0005696F6465666D61696C746F3A686F73746D6173746572406F7065 72612E636F6D opera.com. 3600 IN TYPE257 \# 19 0005697373756564696769636572742E636F6D opera.com. 3600 IN TYPE257 \# 23 0009697373756577696C6464696769636572742E636F6D comodo.com. 1200 IN TYPE257 \# 19 00056973737565636F6D6F646F63612E636F6D comodo.com. 1200 IN TYPE257 \# 35 0005696F6465666D61696C746F3A73736C616275736540636F6D6F64 6F63612E636F6D fu-berlin.de. 86400 IN TYPE257 \# 38 0005696F6465666D61696C746F3A6365727469666963617465406675 2D6265726C696E2E6465 fu-berlin.de. 86400 IN TYPE257 \# 17 00056973737565706B692E64666E2E6465 instantssl.com. 1200 IN TYPE257 \# 19 00056973737565636F6D6F646F63612E636F6D instantssl.com. 1200 IN TYPE257 \# 35 0005696F6465666D61696C746F3A73736C616275736540636F6D6F64 6F63612E636F6D posteo.de. 1800 IN TYPE257 \# 19 00056973737565737461727473736C2E636F6D posteo.de. 1800 IN TYPE257 \# 18 00056973737565642D74727573742E6E6574 posteo.de. 1800 IN TYPE257 \# 19 0005697373756567656F74727573742E636F6D posteo.de. 1800 IN TYPE257 \# 23 0009697373756577696C64737461727473736C2E636F6D posteo.de. 1800 IN TYPE257 \# 23 0009697373756577696C6467656F74727573742E636F6D posteo.de. 1800 IN TYPE257 \# 22 0009697373756577696C64642D74727573742E6E6574 posteo.de. 1800 IN TYPE257 \# 34 0005696F6465666D61696C746F3A686F73746D617374657240706F73 74656F2E6465 lets-fish.com. 86400 IN TYPE257 \# 36 0005696F6465666D61696C746F3A61646D4074656E73717561726567 616D65732E636F6D lets-fish.com. 86400 IN TYPE257 \# 23 8009697373756577696C64737461727473736C2E636F6D lets-fish.com. 86400 IN TYPE257 \# 19 80056973737565737461727473736C2E636F6D defcon.org. 86400 IN TYPE257 \# 19 0005697373756564696769636572742E636F6D entrust.net. 7200 IN TYPE257 \# 21 0005697373756563612E656E74727573742E6E6574 lets-hunt.com. 86400 IN TYPE257 \# 36 0005696F6465666D61696C746F3A61646D4074656E73717561726567 616D65732E636F6D lets-hunt.com. 86400 IN TYPE257 \# 19 80056973737565737461727473736C2E636F6D lets-hunt.com. 86400 IN TYPE257 \# 23 8009697373756577696C64737461727473736C2E636F6D devever.net. 300 IN TYPE257 \# 22 000569737375656C657473656E63727970742E6F7267 tensquaregames.com. 86400 IN TYPE257 \# 19 80056973737565737461727473736C2E636F6D tensquaregames.com. 86400 IN TYPE257 \# 23 8009697373756577696C64737461727473736C2E636F6D tensquaregames.com. 86400 IN TYPE257 \# 36 0005696F6465666D61696C746F3A61646D4074656E73717561726567 616D65732E636F6D melenky.ru. 900 IN TYPE257 \# 19 00056973737565737461727473736C2E636F6D bgbm.org. 86400 IN TYPE257 \# 38 0005696F6465666D61696C746F3A6365727469666963617465406675 2D6265726C696E2E6465 bgbm.org. 86400 IN TYPE257 \# 17 00056973737565706B692E64666E2E6465 mushroom-hunt.com. 86400 IN TYPE257 \# 36 0005696F6465666D61696C746F3A61646D4074656E73717561726567 616D65732E636F6D mushroom-hunt.com. 86400 IN TYPE257 \# 19 80056973737565737461727473736C2E636F6D mushroom-hunt.com. 86400 IN TYPE257 \# 23 8009697373756577696C64737461727473736C2E636F6D seas.sk. 28800 IN TYPE257 \# 12 0009697373756577696C643B seas.sk. 28800 IN TYPE257 \# 32 0005696F6465666D61696C746F3A686F73746D617374657240736561 732E736B seas.sk. 28800 IN TYPE257 \# 19 0005697373756567656F74727573742E636F6D
Which boils down to the following groups of domains:
- Certificate Authorities (CAs):
- google.com
- symantec.com
- comodo.com
- instantssl.com
- entrust.net
- Browsers:
- opera.com
- Universities:
- fu-berlin.de
- bgbm.org
- Mail Providers:
- posteo.de
- Games:
- tensquaregames.com
- lets-fish.com
- lets-hunt.com
- mushroom-hunt.com
- Technology:
- defcon.org
- devever.net
- Geography:
- melenky.ru
In case you wonder: I classify Google as a CA here, because they are (apart from several other pet projects they maintain). But in the context of this research, the most reasonable cause for them to deploy probably is managing PKI themselves.
Which brings us to some interesting point: While Google has it’s own PKI they allow Symantec Inc. to issue certificates for them. Having a closer look at the data above, we find the following properties used:
- issue: Present for all 17 domains, posteo.de using 3 different ones. Specified CAs include:
- Symantec: google.com, symantec.com
- DigiCert: opera.com, defcon.org
- Comodo: comodo.com, instantssl.com
- DFN Verein CA (German Research Network PKI): fu-berlin.de, bgbm.org
- StartCom: posteo.de, lets-fish.com, lets-hunt.com, tensquaregames.com, mushroom-hunt.com, melenky.ru
- D-Trust: posteo.de
- GeoTrust: posteo.de, seas.sk
- Entrust: entrust.net
- others: devever.net
- issuewild: Only present for 7 domains:
- DigiCert: opera.com
- StartCom: posteo.de, lets-fish.com, lets-hunt.com, tensquaregames.com, mushroom-hunt.com
- D-Trust: posteo.de
- GeoTrust: posteo.de
- Denial of IssueWild: seas.sk
- iodef: Present for 11 domains and pointing either to some mailbox on that domain (with opera.com, posteo.com and seas.sk), some inherited collection address (with tensquaregames.com and its related lets-fish.com, lets-hunt.com and mushroom-hunt.com), or an abuse/information mailbox at the CA (Comodo for comodo.com & instantssl.com, and the DFN Verein CA for fu-berlin.de & bgbm.org).
No other or custom properties for CAA DNS RR are present for the Alexa set of domains.
Cross-checking these results with deployment of DNSSEC yields that only 8 of the 17 domains discovered to use CAA DNS RR also use DNSSEC (i.e. have a DNSKEY present):
- defcon.org
- devever.net
- lets-fish.com
- lets-hunt.com
- melenky.ru
- mushroom-hunt.com
- posteo.de
- tensquaregames.com
This quite low rate of DNSSEC among CAA DNS RR protected domains (47%) is kinda unexpected given that DNSSEC is usually the more powerful protection, while CAA is – by its very definition – only an optional band-aid for in-depth protection at issuance of a certificate.
Yet given the very dim overall deployment of CAA DNS RR there’s not much lost due to this lack of other domain protections. Yet it is quite interesting nonetheless to see all major features of the RFC being used in real-world deployments so far.
