CAA "issuewild" question

Given: A domain that has only CAA records for "issue" [having no records for "issuewild"].

Is the default behavior to allow any CA to issue wildcard certs for said domain or for none to?

[the RFC (8659) seems to lean towards the "allow any" (issuewild follows issue) unless otherwise specifically limited]

3 Likes

None of the two options you've given. The issue CAA property is for regular certificates as wel as wildcard certificates. The issuewild only let's you specifically select a CA for wildcard certificates and takes precedence over the issue property, but the lack of an issuewild property still makes the issue property valid for wildcard certificates too.

So if you only have an issue property you only grand issuance of wildcard certificates to that CA.

4 Likes

OK, so then is this how LE implements the RFC (8659)?

Are other CAs able to implement it in any other way?
[should I update my CAA records to include "issuewild" constraints?]

You didn't explicitly say that I could... so I won't.
OR
You didn't explicitly say that I couldn't... so I will.

3 Likes

You can see the issue/issuewild logic here:

It uses the issue set of properties of a CAA record by default unless the certificate is a wildcard certificate and there is one or more issuewild properties in the CAA record present. If not, it just uses the default of issue properties.

I'm pretty sure that would violate the BR. Article 3.2.2.8 of the current BR (1.8.0) only specifies that the CA needs to adhere to RFC 8659.

Depends what you want to achieve with that?

Those are the exact two options you've listed in your OP whereas there is a third option: "If no issuewild property has been set, the CA needs to abide to the issue property/properties for wildcard certificates".

5 Likes

Look through the examples in RFC 8659 section 4.3; I think they're reasonably clear on the scenario you present.

The following RRset requests that only ca1.example.net issue certificates for "wild2.example.com", "*.wild2.example.com", or "*.sub.wild2.example.com".

wild2.example.com         CAA 0 issue "ca1.example.net"

No, any publicly-trusted CA that didn't strictly follow the CAA standard would be a Bad Thing and would be considered an Official Incident.

Well, I suppose if you use the same CAs for non-wildcard and wildcard certs, then probably having only "issue" entries is fine. I don't currently use wildcard certs, so I have an issuewild ";" in my domain name, "just in case". I'm generally in favor of trying to make this kind of thing as clear and explicit as possible. Though, I just looked at a handful of popular domains just now (like, just the first dozen or so names I happened to think of), and most of them had CAA set up but only with "issue" records and no "issuewild" records. so I think ignoring the existence of issuewild when making one's CAA record is fairly common.

5 Likes

Assuming you also have a valid issue property set up in your CAA record(s), having such an "empty" issuewild property would only prevent the CAs you actually did allow issuance for to issue a wildcard certificate. I'm not really seeing the added benefit of that. Of course it would restrict an attacker to only issue non-wildcard certificates, but if they can already do such a thing, that would be Very Bad anyway.. Restricting the attacker to non-wildcard certificates only has almost no extra benefit IMO.

5 Likes

Sorry, I suppose I wasn't clear: The CAA record I have for my domain has "issue" records for the couple CAs I use (Let's Encrypt and AWS), as well as the issuewild ";". It probably wouldn't hurt anything to leave the issuewild off, as you say, (as presumably any attacker that could get Let's Encrypt or AWS to issue a wildcard cert would already have control of my DNS and could just change the CAA record too), but I don't think it hurts anything to leave it in there anyway.

The entire point of CAA, after all, is to try to mitigate cases where somehow a CA has gone through domain validation but the domain owner didn't actually intend for that CA to be validating their domain, which is a pretty rare scenario as it is. Most users wouldn't ever notice if they never used CAA, if all is going well. But if you're going to use it, I figure you might as well lock it down as much as you can.

4 Likes

That's also very true :slight_smile: Unless you actually want a wildcard certificate :wink:

4 Likes

Well, if I end up wanting a wildcard certificate for something, and yet forget that I disabled it in my CAA, presumably the error message that I subsequently get would remind me pretty quickly that I needed to update my record. No different than people realizing that they need to update it when they switch CAs.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.