A First Look at Certification Authority Authorization (CAA)

Quirin Scheitle, Taejoong Chung, Jens Hiller, Oliver Gasser, Johannes Naab, Roland Martijn van Rijswijk - Deij, Oliver Hohlfeld, Ralph Holz, David Choffnes, Alan Mislove, Georg Carle

    Research output: Contribution to journalArticleAcademicpeer-review

    20 Citations (Scopus)


    Shaken by severe compromises, the Web’s Public Key Infrastructure has seen the addition of several security mechanisms over recent years. One such mechanism is the Certification Authority Authorization (CAA) DNS record, that gives domain name holders control over which Certification Authorities (CAs) may issue certificates for their domain. First defined in RFC 6844, adoption by the CA/B forum mandates that CAs validate CAA records as of September 8, 2017.
    The success of CAA hinges on the behavior of three actors: CAs, domain name holders, and DNS operators. We empirically study their behavior, and observe that CAs exhibit patchy adherence in issuance experiments, domain name holders configure CAA records in encouraging but error-prone ways, and only six of the 31 largest DNS operators enable cus- tomers to add CAA records. Furthermore, using historic CAA data, we uncover anomalies for already-issued certificates.
    We disseminated our results in the community. This has already led to specific improvements at several CAs and revocation of mis-issued certificates. Furthermore, in this work, we suggest ways to improve the security impact of CAA. To foster further improvements and to practice reproducible research, we share raw data and analysis tools.
    Original languageEnglish
    Pages (from-to)11-23
    Number of pages14
    JournalComputer communication review
    Issue number2
    Publication statusPublished - 1 Apr 2018


    • CAA
    • Web PKI
    • HTTPS Security


    Dive into the research topics of 'A First Look at Certification Authority Authorization (CAA)'. Together they form a unique fingerprint.

    Cite this