An Empirical Survey on the Early Adoption of DNS Certification Authority Authorization

TL;DR

This paper empirically examines the early adoption of DNS Certification Authority Authorization (CAA) among top domains, revealing modest adoption rates and limited use for wildcard certificates, contributing to understanding encryption technology deployment.

Contribution

It provides the first large-scale empirical analysis of early CAA adoption, highlighting adoption levels and market patterns before mandatory enforcement.

Findings

CAA adoption is below 2% among top domains

Wildcard CAA authorizations are rare

Market adoption partially reflects global certificate industry

Abstract

A new certification authority authorization (CAA) resource record for the domain name system (DNS) was standardized in 2013. Motivated by the later 2017 decision to enforce mandatory CAA checking for most certificate authorities, this paper surveys the early adoption of CAA by using an empirical sample collected from the Alexa's top-million domains. According to the results, (i) the adoption of CAA is still at a modest level; only a little below two percent of the popular domains sampled have adopted CAA. Among the domains that have adopted CAA, (ii) authorizations dealing with wildcard certificates are rare compared to conventional certificates. Interestingly, (iii) the results only partially reflect the market structure of the global certificate business. With these timely results, the paper contributes to the ongoing large-scale empirical research on the use of encryption technologies.