April 18, 2017 at 14:29“Now Required”: Issuing SSL Certificates Based on DNS Records
This year, public organizations responsible for the distribution of certificates will begin to take into account special DNS records. These records allow domain owners to determine the "circle of persons" who are allowed to issue SSL / TLS certificates (we wrote about them in our previous post ) for their domain. / The Flickr / Jim Pennucci / CC
DNS records have been used since 2013, but their use was more of a recommendatory nature, because CAs (certificate authorities) were not required to obey these rules. But now the participants in the CA / Browser forum, which brings together the creators of popular browsers and certification companies, voted to make the Certification Authority Authorization (CAA) record verification process part of the certificate issuance process.
“The CAA will not be a silver bullet, but it will be another layer of protection,” said Scott Helme, an information security consultant.
This requirement will come into force.September 8th, and those CAs that cannot satisfy him run the risk of getting fines. Thus, now certification authorities will have to make sure that requests for issuing an SSL / TLS certificate are received from the domain owner.
The purpose of this solution is to reduce the number of unauthorized issuance of certificates when a certification authority or domain hacking is compromised, when an attacker can request a valid certificate for a compromised domain from any certificate company and subsequently use it to conduct MITM attacks or redirect users to phishing resources.
To create a record for domain owners, you can use the CAA Record Generator tool , which automatically generates the correct command lines.
In addition to the issue tag, which defines legitimate CAs, the entry will support the iodef tag, which will also be required to be verified. This tag will allow the domain owner to identify email addresses or URLs where CAs will need to send notifications of suspicious certificate requests.
PS Here are some more materials on the topic from the blog of the IaaS provider 1cloud:
DNS records have been used since 2013, but their use was more of a recommendatory nature, because CAs (certificate authorities) were not required to obey these rules. But now the participants in the CA / Browser forum, which brings together the creators of popular browsers and certification companies, voted to make the Certification Authority Authorization (CAA) record verification process part of the certificate issuance process.
“The CAA will not be a silver bullet, but it will be another layer of protection,” said Scott Helme, an information security consultant.
This requirement will come into force.September 8th, and those CAs that cannot satisfy him run the risk of getting fines. Thus, now certification authorities will have to make sure that requests for issuing an SSL / TLS certificate are received from the domain owner.
The purpose of this solution is to reduce the number of unauthorized issuance of certificates when a certification authority or domain hacking is compromised, when an attacker can request a valid certificate for a compromised domain from any certificate company and subsequently use it to conduct MITM attacks or redirect users to phishing resources.
To create a record for domain owners, you can use the CAA Record Generator tool , which automatically generates the correct command lines.
In addition to the issue tag, which defines legitimate CAs, the entry will support the iodef tag, which will also be required to be verified. This tag will allow the domain owner to identify email addresses or URLs where CAs will need to send notifications of suspicious certificate requests.
PS Here are some more materials on the topic from the blog of the IaaS provider 1cloud: