During the second half of 2017, an international group of researchers led by the Technical University of Munich (TUM), carried out a test on the recently introduced Certification Authority Authorization (CAA) for DNS records. Through such records, a DNS domain name holder is able to control which Certification Authority (CA) is allowed to issue digital certificates for a domain.

Why was this test carried out?

CAA records are a recently added security mechanism to the internet’s trust system. As with any additional measure, it will only gain user trust if implemented properly and thoroughly.
The test aimed to assess the overall implementation status, and to improve it by proactively sharing the findings with the community and all the affected parties.

What did the test involve?

Quirin Scheitle, research associate within the Chair of Network Architectures and Services at TUM’s Informatics Department, and his team, specifically aimed to test whether CAs respect CAA records in six different combinations and configurations. In order to do so, they set up a domains test with a specific DNS configuration for six test cases. For these domains, digital certificates were requested from various CAs and their reactions to CAA configurations were recorded.

Did any CAs do particularly well?

The correct and expected behaviour in all cases was registered for five of the thirteen Certification Authorities tested, these include: DigiCert, Let’sEncrypt, GoDaddy, AlphaSSL and Symantec.

The complete study and a regularly updated dashboard can be found at https://caastudy.github.io

For more information on CAA for DNS visit: https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
https://support.dnsimple.com/articles/caa-record/

To find out more about GÉANT’s Trusted Certificate Service, click here.