ScanMalware.com
← Back to Blog
#tls#security#dns#certificates#caa

Implementing CAA Record Validation in TLS Certificate Analysis

ScanMalware Team
4 min read

Introduction

Certificate Authority Authorization (CAA) records are a critical but often overlooked security feature in the certificate ecosystem. They allow domain owners to specify which Certificate Authorities (CAs) are authorized to issue certificates for their domain, reducing the risk of unauthorized certificate issuance.

In this post, we'll walk through how we implemented CAA validation in ScanMalware's TLS analyzer, including the challenges we faced and how we solved them with a robust DNS fallback strategy.

What Are CAA Records?

CAA records are DNS resource records (RFC 8659) that specify which CAs can issue certificates for a domain. For example:

example.com.  CAA  0 issue "letsencrypt.org"
example.com.  CAA  0 issuewild "digicert.com"

This tells CAs that only Let's Encrypt can issue regular certificates, and only DigiCert can issue wildcard certificates for example.com.

The Challenge: Reliable DNS Lookups

DNS lookups can fail for various reasons:

  • Network issues
  • DNS server downtime
  • Rate limiting
  • Firewall restrictions

For a production security scanner, we needed a solution that would work reliably even when individual DNS servers fail.

Our Solution: 6-Tier DNS Fallback Strategy

We implemented a fallback chain with 6 different resolvers:

  1. System resolver - Uses the container's default DNS
  2. Cloudflare (1.1.1.1) - Fast, global CDN
  3. Google (8.8.8.8) - Highly reliable
  4. Quad9 (9.9.9.9) - Security-focused
  5. Cloudflare Secondary (1.0.0.1) - Backup Cloudflare
  6. Google Secondary (8.8.4.4) - Backup Google

Each resolver has a 3-second timeout. If one fails, we immediately try the next one.

Implementation Details

DNS Lookup Function

Our implementation tries each DNS resolver in sequence with a 3-second timeout. If one resolver fails, we immediately move to the next one in the chain. This ensures that temporary issues with any single DNS provider won't prevent us from retrieving CAA records.

The function processes the CAA records once successfully retrieved and extracts the authorized Certificate Authorities from the DNS response.

Issuer Matching Logic

One challenge we encountered was matching certificate issuers to CAA policies. Certificate issuers have long, descriptive names like:

Sectigo ECC Domain Validation Secure Server CA

But CAA records specify simpler domains:

sectigo.com

We solved this with intelligent organization name extraction. The system extracts the organization name from the CAA domain (e.g., "sectigo" from "sectigo.com") and checks if it appears in the certificate issuer's name. This flexible matching approach handles the variety of CA naming conventions in real-world certificates.

Risk Scoring Integration

We integrated CAA validation into our risk scoring system:

  • +20 risk points: Certificate violates CAA policy (unauthorized issuer)
  • -5 risk points: Domain has CAA records and certificate complies (good security practice)
  • 0 points: No CAA records (neutral - not required but recommended)

Real-World Testing

We tested against production websites:

GitHub.com (Compliant)

  • CAA Policy: sectigo.com, digicert.com, globalsign.com
  • Certificate Issuer: Sectigo ECC Domain Validation Secure Server CA
  • Result: ✅ Compliant
  • Risk Score: -5 (bonus for having CAA)

Google.com (No CAA)

  • CAA Records: None
  • Result: ℹ️ Neutral (no penalty)
  • Risk Score: 0

Performance Results

Our fallback strategy proved highly reliable:

  • Success Rate: 99.8% with fallback resolvers
  • Average Lookup Time: 150-300ms
  • Failure Handling: Graceful degradation (scan continues even if CAA lookup fails)

Conclusion

Implementing CAA validation with a robust DNS fallback strategy significantly improved the reliability and security insights of our TLS analyzer. The 6-tier fallback ensures we can almost always retrieve CAA records, and our intelligent issuer matching correctly handles the variety of CA naming conventions in the wild.

CAA records are an important security control that more domain owners should adopt. By highlighting CAA compliance in our scans, we hope to raise awareness of this valuable security feature.

Next Steps

In future updates, we plan to:

  • Add CAA wildcard policy validation
  • Track CAA adoption trends over time
  • Alert on CAA policy violations for monitored domains
  • Provide CAA record recommendations based on detected certificate issuers

Want to try it yourself? Scan your domain at ScanMalware.com to see if your certificates comply with your CAA policy!