In the ever-evolving landscape of DNS and Public Key Infrastructure (PKI), ensuring the transparency, security, and integrity of TLS certificate issuance remains paramount. My latest RFC Internet-Draft, titled „CATALOG Authorization Transparency And Log Overlay for Graph-based DNS“, aims to address exactly these aspects by extending DNS Certification Authority Authorization (CAA) records.
What Problem Does CATALOG Solve?
Currently, when Certificate Authorities (CAs) issue X.509 TLS certificates, ensuring transparency via Certificate Transparency (CT) logs is crucial. However, managing CT log endpoints securely and transparently has posed challenges. The proposed CATALOG extension to the DNS CAA resource records introduces a structured, discoverable way to bind CT log information directly within DNS. This enables CAs and domain administrators to clearly specify preferred or mandatory CT log endpoints.
Technical Overview
CATALOG introduces a new CAA property tag, issuect, complemented by parameters that precisely define the characteristics of each CT log endpoint:
- desc: Descriptive label for human readability.
- critical: Indicates mandatory or optional enforcement.
- validfrom / validtill: Specifies the effective validity window for the CT log entry.
- cturi: The endpoint URL of the CT log.
- logid: Unique identifier for the CT log.
- pubkey: Public key information for log signature verification.
By embedding these parameters within DNS records, domains can instruct CAs explicitly about the CT logs to use during certificate issuance, significantly improving operational clarity and security.
CAA-CT-STS: Strengthening the Framework
The draft further introduces a mechanism similar to MTA-STS (Mail Transfer Agent Strict Transport Security), known as CAA-CT-STS. This enhancement provides additional hardening, making CT log usage compliance mandatory and verifiable, thus reinforcing the PKI ecosystem’s resilience against misissuance or oversight.
Why Graph-based DNS?
The reference to „Graph-based DNS“ underscores the potential of representing DNS and CT log relations visually and logically through graph structures. This visualization simplifies auditability, enhances understanding, and supports proactive security management.
Contributing to the Draft
The RFC Internet-Draft is actively developed and available on my Git repository:
🔗 https://git.coresecret.dev/msw/draft-weidner-catalog-rr-ext
The author gratefully accepts pull requests. Contributions, reviews, and feedback from the community are highly valuable for refining and advancing this proposal.
With CATALOG, we aim to foster a more transparent, secure, and accountable digital trust environment.