{"id":1607,"date":"2016-02-19T10:42:51","date_gmt":"2016-02-19T09:42:51","guid":{"rendered":"http:\/\/blog.benny-baumann.de\/?p=1607"},"modified":"2016-02-19T09:21:10","modified_gmt":"2016-02-19T08:21:10","slug":"trust-delegation-with-caa-dns-rr","status":"publish","type":"post","link":"https:\/\/blog.benny-baumann.de\/?p=1607","title":{"rendered":"Trust Delegation with CAA DNS RR"},"content":{"rendered":"

Every security technology needs a certain deployment base in order to be effective. With many other security measures already at our disposal restricting the set of Certificate Authorities that may issue a X.509 certificate for a given domain is just another step. The standard for doing so, is RFC 6844 specifying the DNS Certificate Authority Authorization (CAA) Resource Record<\/a>. Specifying a special DNS RR it allows any complying CA to check, if the owner of the domain (actually: The one in control of the DNS) wishes any given CA to issue certificates for this domain.<\/p>\n

Given the CAA DNS RR is quite new, the question arose, if there are any deployments<\/a> yet.
\n<\/p>\n

Given that, unlike for IPv4, there is no easily searchable address space for domain names, the matter was a bit more complicated, than one might think at first. Also not having a comprehensive list of more than the Alexa Top 1M websites<\/a> at hand, that ought to do as a rough approximation of the question.<\/p>\n

Another approach tried was using the oldy-but-goody NSEC3Walker<\/a>, with the quite ovious downside, that enumerating the zones to yield a list of domain names takes quite some time – and thus it only has been attempted for the .fail domain so far.<\/p>\n

Which brings us to the first observation: The .fail domain, being one of the newGTLD, doesn’t really look like it was actively used for DNSSEC, thus for the domains that use DNSSEC (49 according to my scan) we get only 4 using CAA DNS RR: all of which are mine. While this percentage of about 8.2% might look promising, it is most likely incidental due to the small number of domains covered:<\/p>\n

\r\ncrypto.fail.\t\t3600\tIN\tTYPE257\t\\# 31 0005696F6465666D61696C746F3A62656E62653139383740676D782E 6E6574\r\ncrypto.fail.\t\t3600\tIN\tTYPE257\t\\# 49 000569737375656361636572742E6F72673B206163636F756E743D31 32323334323B20726F6F743D67312D636C61737333\r\ncrypto.fail.\t\t3600\tIN\tTYPE257\t\\# 53 0009697373756577696C646361636572742E6F72673B206163636F75 6E743D3132323334323B20726F6F743D67312D636C61737333\r\nopenpgp.fail.\t\t3600\tIN\tTYPE257\t\\# 31 0005696F6465666D61696C746F3A62656E62653139383740676D782E 6E6574\r\nopenpgp.fail.\t\t3600\tIN\tTYPE257\t\\# 49 000569737375656361636572742E6F72673B206163636F756E743D31 32323334323B20726F6F743D67312D636C61737333\r\nopenpgp.fail.\t\t3600\tIN\tTYPE257\t\\# 53 0009697373756577696C646361636572742E6F72673B206163636F75 6E743D3132323334323B20726F6F743D67312D636C61737333\r\nsecurity.fail.\t\t3600\tIN\tTYPE257\t\\# 31 0005696F6465666D61696C746F3A62656E62653139383740676D782E 6E6574\r\nsecurity.fail.\t\t3600\tIN\tTYPE257\t\\# 49 000569737375656361636572742E6F72673B206163636F756E743D31 32323334323B20726F6F743D67312D636C61737333\r\nsecurity.fail.\t\t3600\tIN\tTYPE257\t\\# 53 0009697373756577696C646361636572742E6F72673B206163636F75 6E743D3132323334323B20726F6F743D67312D636C61737333\r\nx509.fail.\t\t3600\tIN\tTYPE257\t\\# 49 000569737375656361636572742E6F72673B206163636F756E743D31 32323334323B20726F6F743D67312D636C61737333\r\nx509.fail.\t\t3600\tIN\tTYPE257\t\\# 31 0005696F6465666D61696C746F3A62656E62653139383740676D782E 6E6574\r\nx509.fail.\t\t3600\tIN\tTYPE257\t\\# 53 0009697373756577696C646361636572742E6F72673B206163636F75 6E743D3132323334323B20726F6F743D67312D636C61737333\r\n<\/pre>\n
All 4 domains have DNSSEC, TLSA (DANE) and CAA records, with both TLSA and CAA designating CAcert<\/a> as the CA to be used to issue certificates (incidentially the same CA this blog uses too).<\/p>\n
Which brings us back to the initial attempt to query domains given a set of previously known domain names. Downloading and extracting the Alexa Top 1M is straight forward and asking for the actual records can be automated with just one line of bash:<\/p>\n
cat top-1m.csv | cut -d, -f2 | parallel -j16 dig +nocmd +noadditional +noauthority +noquestion TYPE257 | grep --line-buffered -v \\; | grep --line-buffered TYPE257 | tee top-1m.caa.txt \r\n<\/pre>\n
Looking at the results as they arrive we’ll find the following output:<\/p>\n
google.com.\t\t85980\tIN\tTYPE257\t\\# 19 0005697373756573796D616E7465632E636F6D\r\nsymantec.com.\t\t1502\tIN\tTYPE257\t\\# 19 0005697373756573796D616E7465632E636F6D\r\nopera.com.\t\t3600\tIN\tTYPE257\t\\# 34 0005696F6465666D61696C746F3A686F73746D6173746572406F7065 72612E636F6D\r\nopera.com.\t\t3600\tIN\tTYPE257\t\\# 19 0005697373756564696769636572742E636F6D\r\nopera.com.\t\t3600\tIN\tTYPE257\t\\# 23 0009697373756577696C6464696769636572742E636F6D\r\ncomodo.com.\t\t1200\tIN\tTYPE257\t\\# 19 00056973737565636F6D6F646F63612E636F6D\r\ncomodo.com.\t\t1200\tIN\tTYPE257\t\\# 35 0005696F6465666D61696C746F3A73736C616275736540636F6D6F64 6F63612E636F6D\r\nfu-berlin.de.\t\t86400\tIN\tTYPE257\t\\# 38 0005696F6465666D61696C746F3A6365727469666963617465406675 2D6265726C696E2E6465\r\nfu-berlin.de.\t\t86400\tIN\tTYPE257\t\\# 17 00056973737565706B692E64666E2E6465\r\ninstantssl.com.\t\t1200\tIN\tTYPE257\t\\# 19 00056973737565636F6D6F646F63612E636F6D\r\ninstantssl.com.\t\t1200\tIN\tTYPE257\t\\# 35 0005696F6465666D61696C746F3A73736C616275736540636F6D6F64 6F63612E636F6D\r\nposteo.de.\t\t1800\tIN\tTYPE257\t\\# 19 00056973737565737461727473736C2E636F6D\r\nposteo.de.\t\t1800\tIN\tTYPE257\t\\# 18 00056973737565642D74727573742E6E6574\r\nposteo.de.\t\t1800\tIN\tTYPE257\t\\# 19 0005697373756567656F74727573742E636F6D\r\nposteo.de.\t\t1800\tIN\tTYPE257\t\\# 23 0009697373756577696C64737461727473736C2E636F6D\r\nposteo.de.\t\t1800\tIN\tTYPE257\t\\# 23 0009697373756577696C6467656F74727573742E636F6D\r\nposteo.de.\t\t1800\tIN\tTYPE257\t\\# 22 0009697373756577696C64642D74727573742E6E6574\r\nposteo.de.\t\t1800\tIN\tTYPE257\t\\# 34 0005696F6465666D61696C746F3A686F73746D617374657240706F73 74656F2E6465\r\nlets-fish.com.\t\t86400\tIN\tTYPE257\t\\# 36 0005696F6465666D61696C746F3A61646D4074656E73717561726567 616D65732E636F6D\r\nlets-fish.com.\t\t86400\tIN\tTYPE257\t\\# 23 8009697373756577696C64737461727473736C2E636F6D\r\nlets-fish.com.\t\t86400\tIN\tTYPE257\t\\# 19 80056973737565737461727473736C2E636F6D\r\ndefcon.org.\t\t86400\tIN\tTYPE257\t\\# 19 0005697373756564696769636572742E636F6D\r\nentrust.net.\t\t7200\tIN\tTYPE257\t\\# 21 0005697373756563612E656E74727573742E6E6574\r\nlets-hunt.com.\t\t86400\tIN\tTYPE257\t\\# 36 0005696F6465666D61696C746F3A61646D4074656E73717561726567 616D65732E636F6D\r\nlets-hunt.com.\t\t86400\tIN\tTYPE257\t\\# 19 80056973737565737461727473736C2E636F6D\r\nlets-hunt.com.\t\t86400\tIN\tTYPE257\t\\# 23 8009697373756577696C64737461727473736C2E636F6D\r\ndevever.net.\t\t300\tIN\tTYPE257\t\\# 22 000569737375656C657473656E63727970742E6F7267\r\ntensquaregames.com.\t86400\tIN\tTYPE257\t\\# 19 80056973737565737461727473736C2E636F6D\r\ntensquaregames.com.\t86400\tIN\tTYPE257\t\\# 23 8009697373756577696C64737461727473736C2E636F6D\r\ntensquaregames.com.\t86400\tIN\tTYPE257\t\\# 36 0005696F6465666D61696C746F3A61646D4074656E73717561726567 616D65732E636F6D\r\nmelenky.ru.\t\t900\tIN\tTYPE257\t\\# 19 00056973737565737461727473736C2E636F6D\r\nbgbm.org.\t\t86400\tIN\tTYPE257\t\\# 38 0005696F6465666D61696C746F3A6365727469666963617465406675 2D6265726C696E2E6465\r\nbgbm.org.\t\t86400\tIN\tTYPE257\t\\# 17 00056973737565706B692E64666E2E6465\r\nmushroom-hunt.com.\t86400\tIN\tTYPE257\t\\# 36 0005696F6465666D61696C746F3A61646D4074656E73717561726567 616D65732E636F6D\r\nmushroom-hunt.com.\t86400\tIN\tTYPE257\t\\# 19 80056973737565737461727473736C2E636F6D\r\nmushroom-hunt.com.\t86400\tIN\tTYPE257\t\\# 23 8009697373756577696C64737461727473736C2E636F6D\r\nseas.sk.\t\t28800\tIN\tTYPE257\t\\# 12 0009697373756577696C643B\r\nseas.sk.\t\t28800\tIN\tTYPE257\t\\# 32 0005696F6465666D61696C746F3A686F73746D617374657240736561 732E736B\r\nseas.sk.\t\t28800\tIN\tTYPE257\t\\# 19 0005697373756567656F74727573742E636F6D\r\n<\/pre>\n
Which boils down to the following groups of domains:<\/p>\n