BenBE's humble thoughts Thoughts the world doesn't need yet …

19.02.2016

Trust Delegation with CAA DNS RR

Filed under: Server — Schlagwörter: , , , — BenBE @ 10:42:51

Every security technology needs a certain deployment base in order to be effective. With many other security measures already at our disposal restricting the set of Certificate Authorities that may issue a X.509 certificate for a given domain is just another step. The standard for doing so, is RFC 6844 specifying the DNS Certificate Authority Authorization (CAA) Resource Record. Specifying a special DNS RR it allows any complying CA to check, if the owner of the domain (actually: The one in control of the DNS) wishes any given CA to issue certificates for this domain.

Given the CAA DNS RR is quite new, the question arose, if there are any deployments yet.

Given that, unlike for IPv4, there is no easily searchable address space for domain names, the matter was a bit more complicated, than one might think at first. Also not having a comprehensive list of more than the Alexa Top 1M websites at hand, that ought to do as a rough approximation of the question.

Another approach tried was using the oldy-but-goody NSEC3Walker, with the quite ovious downside, that enumerating the zones to yield a list of domain names takes quite some time – and thus it only has been attempted for the .fail domain so far.

Which brings us to the first observation: The .fail domain, being one of the newGTLD, doesn’t really look like it was actively used for DNSSEC, thus for the domains that use DNSSEC (49 according to my scan) we get only 4 using CAA DNS RR: all of which are mine. While this percentage of about 8.2% might look promising, it is most likely incidental due to the small number of domains covered:

crypto.fail.		3600	IN	TYPE257	\# 31 0005696F6465666D61696C746F3A62656E62653139383740676D782E 6E6574
crypto.fail.		3600	IN	TYPE257	\# 49 000569737375656361636572742E6F72673B206163636F756E743D31 32323334323B20726F6F743D67312D636C61737333
crypto.fail.		3600	IN	TYPE257	\# 53 0009697373756577696C646361636572742E6F72673B206163636F75 6E743D3132323334323B20726F6F743D67312D636C61737333
openpgp.fail.		3600	IN	TYPE257	\# 31 0005696F6465666D61696C746F3A62656E62653139383740676D782E 6E6574
openpgp.fail.		3600	IN	TYPE257	\# 49 000569737375656361636572742E6F72673B206163636F756E743D31 32323334323B20726F6F743D67312D636C61737333
openpgp.fail.		3600	IN	TYPE257	\# 53 0009697373756577696C646361636572742E6F72673B206163636F75 6E743D3132323334323B20726F6F743D67312D636C61737333
security.fail.		3600	IN	TYPE257	\# 31 0005696F6465666D61696C746F3A62656E62653139383740676D782E 6E6574
security.fail.		3600	IN	TYPE257	\# 49 000569737375656361636572742E6F72673B206163636F756E743D31 32323334323B20726F6F743D67312D636C61737333
security.fail.		3600	IN	TYPE257	\# 53 0009697373756577696C646361636572742E6F72673B206163636F75 6E743D3132323334323B20726F6F743D67312D636C61737333
x509.fail.		3600	IN	TYPE257	\# 49 000569737375656361636572742E6F72673B206163636F756E743D31 32323334323B20726F6F743D67312D636C61737333
x509.fail.		3600	IN	TYPE257	\# 31 0005696F6465666D61696C746F3A62656E62653139383740676D782E 6E6574
x509.fail.		3600	IN	TYPE257	\# 53 0009697373756577696C646361636572742E6F72673B206163636F75 6E743D3132323334323B20726F6F743D67312D636C61737333

All 4 domains have DNSSEC, TLSA (DANE) and CAA records, with both TLSA and CAA designating CAcert as the CA to be used to issue certificates (incidentially the same CA this blog uses too).

Which brings us back to the initial attempt to query domains given a set of previously known domain names. Downloading and extracting the Alexa Top 1M is straight forward and asking for the actual records can be automated with just one line of bash:

cat top-1m.csv | cut -d, -f2 | parallel -j16 dig +nocmd +noadditional +noauthority +noquestion TYPE257 | grep --line-buffered -v \; | grep --line-buffered TYPE257 | tee top-1m.caa.txt

Looking at the results as they arrive we’ll find the following output:

google.com.		85980	IN	TYPE257	\# 19 0005697373756573796D616E7465632E636F6D
symantec.com.		1502	IN	TYPE257	\# 19 0005697373756573796D616E7465632E636F6D
opera.com.		3600	IN	TYPE257	\# 34 0005696F6465666D61696C746F3A686F73746D6173746572406F7065 72612E636F6D
opera.com.		3600	IN	TYPE257	\# 19 0005697373756564696769636572742E636F6D
opera.com.		3600	IN	TYPE257	\# 23 0009697373756577696C6464696769636572742E636F6D
comodo.com.		1200	IN	TYPE257	\# 19 00056973737565636F6D6F646F63612E636F6D
comodo.com.		1200	IN	TYPE257	\# 35 0005696F6465666D61696C746F3A73736C616275736540636F6D6F64 6F63612E636F6D
fu-berlin.de.		86400	IN	TYPE257	\# 38 0005696F6465666D61696C746F3A6365727469666963617465406675 2D6265726C696E2E6465
fu-berlin.de.		86400	IN	TYPE257	\# 17 00056973737565706B692E64666E2E6465
instantssl.com.		1200	IN	TYPE257	\# 19 00056973737565636F6D6F646F63612E636F6D
instantssl.com.		1200	IN	TYPE257	\# 35 0005696F6465666D61696C746F3A73736C616275736540636F6D6F64 6F63612E636F6D
posteo.de.		1800	IN	TYPE257	\# 19 00056973737565737461727473736C2E636F6D
posteo.de.		1800	IN	TYPE257	\# 18 00056973737565642D74727573742E6E6574
posteo.de.		1800	IN	TYPE257	\# 19 0005697373756567656F74727573742E636F6D
posteo.de.		1800	IN	TYPE257	\# 23 0009697373756577696C64737461727473736C2E636F6D
posteo.de.		1800	IN	TYPE257	\# 23 0009697373756577696C6467656F74727573742E636F6D
posteo.de.		1800	IN	TYPE257	\# 22 0009697373756577696C64642D74727573742E6E6574
posteo.de.		1800	IN	TYPE257	\# 34 0005696F6465666D61696C746F3A686F73746D617374657240706F73 74656F2E6465
lets-fish.com.		86400	IN	TYPE257	\# 36 0005696F6465666D61696C746F3A61646D4074656E73717561726567 616D65732E636F6D
lets-fish.com.		86400	IN	TYPE257	\# 23 8009697373756577696C64737461727473736C2E636F6D
lets-fish.com.		86400	IN	TYPE257	\# 19 80056973737565737461727473736C2E636F6D
defcon.org.		86400	IN	TYPE257	\# 19 0005697373756564696769636572742E636F6D
entrust.net.		7200	IN	TYPE257	\# 21 0005697373756563612E656E74727573742E6E6574
lets-hunt.com.		86400	IN	TYPE257	\# 36 0005696F6465666D61696C746F3A61646D4074656E73717561726567 616D65732E636F6D
lets-hunt.com.		86400	IN	TYPE257	\# 19 80056973737565737461727473736C2E636F6D
lets-hunt.com.		86400	IN	TYPE257	\# 23 8009697373756577696C64737461727473736C2E636F6D
devever.net.		300	IN	TYPE257	\# 22 000569737375656C657473656E63727970742E6F7267
tensquaregames.com.	86400	IN	TYPE257	\# 19 80056973737565737461727473736C2E636F6D
tensquaregames.com.	86400	IN	TYPE257	\# 23 8009697373756577696C64737461727473736C2E636F6D
tensquaregames.com.	86400	IN	TYPE257	\# 36 0005696F6465666D61696C746F3A61646D4074656E73717561726567 616D65732E636F6D
melenky.ru.		900	IN	TYPE257	\# 19 00056973737565737461727473736C2E636F6D
bgbm.org.		86400	IN	TYPE257	\# 38 0005696F6465666D61696C746F3A6365727469666963617465406675 2D6265726C696E2E6465
bgbm.org.		86400	IN	TYPE257	\# 17 00056973737565706B692E64666E2E6465
mushroom-hunt.com.	86400	IN	TYPE257	\# 36 0005696F6465666D61696C746F3A61646D4074656E73717561726567 616D65732E636F6D
mushroom-hunt.com.	86400	IN	TYPE257	\# 19 80056973737565737461727473736C2E636F6D
mushroom-hunt.com.	86400	IN	TYPE257	\# 23 8009697373756577696C64737461727473736C2E636F6D
seas.sk.		28800	IN	TYPE257	\# 12 0009697373756577696C643B
seas.sk.		28800	IN	TYPE257	\# 32 0005696F6465666D61696C746F3A686F73746D617374657240736561 732E736B
seas.sk.		28800	IN	TYPE257	\# 19 0005697373756567656F74727573742E636F6D

Which boils down to the following groups of domains:

  • Certificate Authorities (CAs):
    • google.com
    • symantec.com
    • comodo.com
    • instantssl.com
    • entrust.net
  • Browsers:
    • opera.com
  • Universities:
    • fu-berlin.de
    • bgbm.org
  • Mail Providers:
    • posteo.de
  • Games:
    • tensquaregames.com
    • lets-fish.com
    • lets-hunt.com
    • mushroom-hunt.com
  • Technology:
    • defcon.org
    • devever.net
  • Geography:
    • melenky.ru

In case you wonder: I classify Google as a CA here, because they are (apart from several other pet projects they maintain). But in the context of this research, the most reasonable cause for them to deploy probably is managing PKI themselves.

Which brings us to some interesting point: While Google has it’s own PKI they allow Symantec Inc. to issue certificates for them. Having a closer look at the data above, we find the following properties used:

  • issue: Present for all 17 domains, posteo.de using 3 different ones. Specified CAs include:
    • Symantec: google.com, symantec.com
    • DigiCert: opera.com, defcon.org
    • Comodo: comodo.com, instantssl.com
    • DFN Verein CA (German Research Network PKI): fu-berlin.de, bgbm.org
    • StartCom: posteo.de, lets-fish.com, lets-hunt.com, tensquaregames.com, mushroom-hunt.com, melenky.ru
    • D-Trust: posteo.de
    • GeoTrust: posteo.de, seas.sk
    • Entrust: entrust.net
    • others: devever.net
  • issuewild: Only present for 7 domains:
    • DigiCert: opera.com
    • StartCom: posteo.de, lets-fish.com, lets-hunt.com, tensquaregames.com, mushroom-hunt.com
    • D-Trust: posteo.de
    • GeoTrust: posteo.de
    • Denial of IssueWild: seas.sk
  • iodef: Present for 11 domains and pointing either to some mailbox on that domain (with opera.com, posteo.com and seas.sk), some inherited collection address (with tensquaregames.com and its related lets-fish.com, lets-hunt.com and mushroom-hunt.com), or an abuse/information mailbox at the CA (Comodo for comodo.com & instantssl.com, and the DFN Verein CA for fu-berlin.de & bgbm.org).

No other or custom properties for CAA DNS RR are present for the Alexa set of domains.

Cross-checking these results with deployment of DNSSEC yields that only 8 of the 17 domains discovered to use CAA DNS RR also use DNSSEC (i.e. have a DNSKEY present):

  • defcon.org
  • devever.net
  • lets-fish.com
  • lets-hunt.com
  • melenky.ru
  • mushroom-hunt.com
  • posteo.de
  • tensquaregames.com

This quite low rate of DNSSEC among CAA DNS RR protected domains (47%) is kinda unexpected given that DNSSEC is usually the more powerful protection, while CAA is – by its very definition – only an optional band-aid for in-depth protection at issuance of a certificate.

Yet given the very dim overall deployment of CAA DNS RR there’s not much lost due to this lack of other domain protections. Yet it is quite interesting nonetheless to see all major features of the RFC being used in real-world deployments so far.

Flattr this!

Keine Kommentare »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress