There are a few ways Cloudflare could improve its CAA support for better security and convenience:
- Allow the user to enable the automatic CAA records (for Cloudflare Universal SSL providers) without specifying a manual record. This would allow CAA protection for users who aren’t using a third-party TLS certificate provider.
- When configuring a manual CAA record, provide UI for entering extension tags. For instance, an ACME spec draft defines extensions
validationmethods
andaccounturi
, which are currently available in Let’s Encrypt’s staging environment. This helps guard against, for instance, an attacker getting a cert issued after gaining control of the .well-known directory on an origin server, or obtaining control over an origin IP from the perspective of the CA. - In the automatic CAA records, specify Cloudflare’s own user ID and the verification method you use. Most CAs don’t provide this feature yet, but Cloudflare’s likely in a position to request it, and once available it would help guard against an attacker issuing a cert via one of the partners.