There are a few ways Cloudflare could improve its CAA support for better security and convenience:
- Allow the user to enable the automatic CAA records (for Cloudflare Universal SSL providers) without specifying a manual record. This would allow CAA protection for users who aren’t using a third-party TLS certificate provider.
- When configuring a manual CAA record, provide UI for entering extension tags. For instance, an ACME spec draft defines extensions
accounturi, which are currently available in Let’s Encrypt’s staging environment. This helps guard against, for instance, an attacker getting a cert issued after gaining control of the .well-known directory on an origin server, or obtaining control over an origin IP from the perspective of the CA.
- In the automatic CAA records, specify Cloudflare’s own user ID and the verification method you use. Most CAs don’t provide this feature yet, but Cloudflare’s likely in a position to request it, and once available it would help guard against an attacker issuing a cert via one of the partners.