DNS Certification Authority Authorization (CAA)

Hi All,

Do you know the Certification Authority Authorization (CAA) DNS Records?

With these Records you can control what CA can issue Certificates for your domain.

• DNS Certification Authority Authorization

CAA implementation mandatory for all certificate authorities by September 2017.

• RFC 8659 DNS Certification Authority Authorization (CAA) Resource Record

That Record means no CA is allowed to issue Certificates and Wildcard Certifcates for that Domain

domain.tld.  IN  CAA  0 issue ";"
domain.tld.  IN  CAA  0 issuewild ";"

Only the specified CA can Issue Certificates and Wildcard Certifcates for that Domain

domain.tld.  IN  CAA 0 issue "ca.domain.tld"
domain.tld.  IN  CAA 0 issuewild "ca.domain.tld"

To indicate that certificate authorities should report invalid certificate requests to an email address and a Real-time Inter-network Defense endpoint:

domain.tld.  IN  CAA 0 iodef "mailto:security@example.com"
domain.tld.  IN  CAA 0 iodef "http://iodef.example.com/"

How to query CAA DNS Record with PowerShell (DNS over HTTPS)

$Domain = "irgendwoiminternet.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$Domain&type=CAA"
$json
$json.Answer
$json.Answer.Data

I’ve created a CAA Record in Azure DNS for one of my Domains

Prohibit Issue Certificates for that Domain

I’ve created a Certificate Request with �osh-ACME to the Let’s Encrypt CA. As you can see the Certificate is not issued due to the CAA Record.

• Request Let’s Encrypt Certificate with PowerShell

Install-Module Posh-ACME
Set-PAServer LE_PROD
New-PAAccount -Contact a.bohren@icewolf.ch -AcceptTOS -KeyLenght 4096
New-PACertificate edge.serveralive.ch -AcceptTOS -Contact "a.bohren@icewolf.ch" -DnsSleep 15

Let’s change the CAA Record

The CAA Record now looks like this.

irgendwoiminternet.ch. IN 0 issue "letsencrypt.org"
irgendwoiminternet.ch. IN 0 issuewild ";"
irgendwoiminternet.ch. IN 0 iodef "mailto:postmaster@icewolf.ch"

The only question is where do you get the CAA URL for your CA?

I just googled it:https://letsencrypt.org/docs/caa/

Qquery CAA DNS Record with PowerShell (DNS over HTTPS)

$Domain = "irgendwoiminternet.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$Domain&type=CAA"
$json
$json.Answer
$json.Answer.Data

Now i am able to issue the Certificate from Let’s encrypt

New-PACertificate edge.serveralive.ch -AcceptTOS -Contact "a.bohren@icewolf.ch" -DnsSleep 15

The Certificate can be found here: C:\Users\Administrator.CORP\AppData\Local\Posh-ACME\LE_PROD\901745977\demo.irgendwoiminternet.ch

Regards
Andres Bohren