CAA Improvement Suggestions

dns

#1

There are a few ways Cloudflare could improve its CAA support for better security and convenience:

  • Allow the user to enable the automatic CAA records (for Cloudflare Universal SSL providers) without specifying a manual record. This would allow CAA protection for users who aren’t using a third-party TLS certificate provider.
  • When configuring a manual CAA record, provide UI for entering extension tags. For instance, an ACME spec draft defines extensions validationmethods and accounturi, which are currently available in Let’s Encrypt’s staging environment. This helps guard against, for instance, an attacker getting a cert issued after gaining control of the .well-known directory on an origin server, or obtaining control over an origin IP from the perspective of the CA.
  • In the automatic CAA records, specify Cloudflare’s own user ID and the verification method you use. Most CAs don’t provide this feature yet, but Cloudflare’s likely in a position to request it, and once available it would help guard against an attacker issuing a cert via one of the partners.

#2

In reply to your first point, I think Cloudflare behaves as you describe already - i.e. if you have are just using Cloudflare’s Universal SSL then they add the CAA records for their three providers automatically providing you haven’t added any CAA records yourself. It’s only if you add any yourself you need to then also include the three Cloudflare ones (or disable Universal SSL).


#3

The documentation is a bit unclear on that point, but that’s not consistent with what I’ve seen. In my testing, if you don’t set a CAA record, CF doesn’t set one at all. If you set an explicit one, CF will add issue and issuewild CAA records for the Universal SSL partners in addition to your own, presumably unless Universal SSL is disabled.