Email or username:

Password:

Forgot your password?
Top-level
Jan Schaumann

2) Most people don't set 'iodef'.

Those domains that do use CAA records tend to use the 'issue' and 'issuewild' records, but only minuscule fraction (0.9% of all TLDs' domains; 3.2% of the Top 1M Domains) set 'iodef'.

8 comments
Jan Schaumann replied to Jan

3) Extensions are not widely used.

The dominance of the 'cansignhttpexchanges' parameter here surprised me, but could be explained by being pushed without industry agreement by Google as part of their "Accelerated Mobile Pages" (AMP) framework?

Jan Schaumann replied to Jan

And finally, and most importantly:

4) A small number of CAs dominate.

Only 7 Certificate Authorities account for over 99% of all CAA 'issue'/'issuewild' records (10 CAs for 99% of the Top 1M Domains).

3 alone account for over 75%: Comodo, DigiCert, and Let's Encrypt.

Jan Schaumann replied to Jan

Even though this only covers the small percentage of domains that do set CAA records, I would not be surprised if the overall use of CAs across all domains followed a similar -- and similarly centralized -- distribution.

(In some markets, regional players will play a bigger role; once again the inability to get access to all ccTLD zones makes this difficult to assess.)

Jan Schaumann replied to Jan

So no, you probably could replace your giant trust bundle with fewer than... 20 or so root CA certs and not notice a difference, I'd guess.

But whether that's a good thing, whether it's wise for the entire internet to place all -- well, >99% -- of its certificates/eggs into fewer than 10 CAs/baskets seems more than questionable.

Jan Schaumann replied to Jan

And that's it for today - thanks for playing "Whose Cert Is It Anyway?" โœŒ๏ธ

This thread is available as a blog post here:

netmeister.org/blog/caa-divers

Jan Schaumann replied to Jan

P.S.: This was the third blog post in a series on the centralization of the internet.

Part 1, covering NS records, can be found here:
netmeister.org/blog/nsauth-div

Or, as a Twitter thread:
twitter.com/jschauma/status/15

Go Up