Do CAA, CT, and DANE Interlink in Certificate Deployments? A Web PKI Measurement Study

TL;DR

This study jointly evaluates the Web PKI ecosystem’s three major defense mechanisms—CAA, DANE/TLSA, and Certificate Transparency—across 4 million domains to determine how widely they are deployed, how correctly they are configured, and how coherently they reflect the actual X.509 certificates in use. Using a large-scale measurement pipeline that spans DNS lookups, TLS handshakes, CT log data, and browser-based traffic, the authors find that CAA is the most commonly deployed protection (often without DNSSEC), TLSA records are rare and frequently out-of-date or mismatched, and CT logs provide valuable visibility but are not universally leveraged. Most certificates are valid and issued by a small set of major CAs, and when CAA constraints exist, they align with the issuing certificates in the vast majority of cases; nonetheless, misconfigurations and cross-technology inconsistencies persist, especially in older certificates or when DNSSEC is absent. The paper argues for better tooling, authoritative mappings for CAA strings, and deeper integration of DNSSEC and TLSA with CAA and CT-based auditing to strengthen the Web PKI, including a publicly accessible validation resource to help domain owners correct misconfigurations. Overall, the work highlights both progress and gaps in deploying interlocking safeguards and offers practical recommendations for improving robustness and auditability of certificate deployments.

Abstract

Integrity and trust on the web build on X.509 certificates. Misuse or misissuance of these certificates threaten the Web PKI security model, which led to the development of several guarding techniques. In this paper, we study the DNS/DNSSEC records CAA and TLSA as well as CT logs from the perspective of the certificates in use. Our measurements comprise 4 million popular domains, for which we explore the existence and consistency of the different extensions. Our findings indicate that CAA is almost exclusively deployed in the absence of DNSSEC, while DNSSEC protected service names tend to not use the DNS for guarding certificates. Even though mainly deployed in a formally correct way, CAA CA-strings tend to not selectively separate CAs, and numerous domains hold certificates beyond the CAA semantic. TLSA records are repeatedly poorly maintained and occasionally occur without DNSSEC.

Figures (10)

• Figure 1: Overview of Web PKI entities and their relation to DNS(SEC).
• Figure 2: Simplified illustration of our toolchain for building a target list, collecting a dataset, and preparing data for analysis.
• Figure 3: CAA matching states by age of certificates with matching subject name at the time of measurement. $75\%$ of certificates are younger than 3 months. CAA mismatches appear relatively more often in certificates older than 3 months.
• Figure 4: The UpSet plot contrasts the use of DNSSEC, CAA, and TLSA among domains that deploy at least one of them. CAA is most deployed ($\approx$52%) followed by DNSSEC ($\approx$41%) but they only co-occur in $<$7% of domains. DANE (TLSA) is rarely deployed ($\approx$1%).
• Figure 5: Total number of hosts delivering valid certificates with valid TLSA and CAA records divided by DNSSEC support, and TLSA and (selected) CAA matching status.