CAA and Certificate Tool

by J. Edward Durrett

Recently an article I authored was published on isc.sans.edu concerning
Certificate Authority Authorization (CAA) records in DNS. Briefly, CAA records allow a domain administrator to
specify what Certificate Authority (CA) is allowed to issue certificates for a domain. The article goes into more
detail.

To make checking a CAA record and certificate for a service easy, I put together a small python script. This script works on every service that speaks tls. Here is the example usage:

./pcaa.py www example.org 443 

Checking DNS for CAA records . . .

The following records were found:

example.org in CAA 128 letsencrypt.org

Now checking certificate . . .

Using server name: www.example.org on port 443 for SNI ...
Connected to ('000.000.000.000', 443)

Certificate Information: '
Country: US
Organization: Let's Encrypt
Common Name: Let's Encrypt Authority X3'


The nice thing is this script works with hosts using SNI and it can check any service on any port. This is a great
help in checking mail servers, voip servers and the like. Also, it is great for servers that are running on
non-standard ports.

References:

http://www.dnspython.org/examples.html
https://github.com/pyca/pyopenssl/blob/master/examples/sni/client.py

The references for my original article on CAA Records and Certificate Issuance are here:

https://www.ssllabs.com/ssltest/index.html
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
https://tools.ietf.org/html/rfc6844
https://cabforum.org/pipermail/public/2017-March/009988.html
https://support.dnsimple.com/articles/caa-record/
https://github.com/weppos/dnscaa
https://cloud.google.com/dns/overview#supported_dns_record_types
https://letsencrypt.org/stats/







Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.

Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.