Someone issued fake CAA records for my domain. What is the most important thing to do to resolve it?

Question

First, I can update this with the affected domain, if it's critical, but for obvious reasons I'd like not to be the target of more problems.

Someone registered some CAA records for my domain.

I have full control of all related accounts: Registrar, CDN, and an AWS account with Route 53 records. MX records with le popular email suite provider.

I assume DNSSEC record configuration between registr and CDN, and then CAA records at the CDN (it already had them) is the most important thing to do first. Or is this a misassumption/ misdirections nd something else is the most-important to do here?

I'm asking this question from the POC of "most important" since otherwise I know it could turn into an option-based question, and get closed. That said, thanks for all answers.

---

fwiw: regarding unauthorized access, I've had 2FA enabled on all related accounts, for many years.

Answer 1

CAA records are only consulted by CAs at the moment they validate a certificate request right before issuing the certificate. Once the certificate is issued, the presence or absence of CAA Records have no bearing on how the certificate is used. You can see on Certificate Transparency Logs if any certificate for your names were issued, specially from the CA that were listed in the CAA record.

Based on that your first action would be to go ask those CAs to revoke those certificates. That might be very difficult.

Second/separate action would be to understand how a third party can arbitrarily add CAA records in your zone, that is pretty not expected. Because why would it stop to CAA records? Observing that could mean your whole zone is under control of a third party, so the problem becomes far bigger than potential unwanted certificates being issued.

But you are saying your zone is maintained by Route53 so it is pretty low probability that was hacked to insert CAA records in your zone (considering your AWS account not being compromised of course).

Maybe more interesting would be to know how did you find out about those CAA records? What did you do to suddenly see them where you didn't expect them?

Specially since you say in comment:

I'm assuming someone registered the CAA records in some other country (?) where the DNS registration were not well scrutinized.

Which honestly does not really make sense. You might be mixing authoritative and recursive nameservers features. Any hacked or misconfigured (voluntarily or not) recursive nameservers can start replying with wrong DNS records... except if the zone is secured by DNSSEC, in which case any tampering in results can be detected by consumers of those results. Which is why using CAA records recommend having the zone DNSSEC enabled for obvious reasons.

What does it mean for you "registering CAA records in some other country"? CAA records, like any other, are inserted in the zonefile served by the authoritative nameservers. So they are not "registered" anywhere else.

Even on DNSSEC you say:

I assume DNSSEC record configuration between registr and CDN Which is far from clear (even besides the "registr" word with is ambiguous at the very least... if you mean "registrar", the registrar as domain name seller do not take part at all in resolution on a day to day basis, of course except if they are DNS provider at the same time, but those are two separate jobs), as things does not work that way. DNSSEC is a feature to enable on authoritative nameservers of your domain (hence ask your DNS provider about it), and then any recursive nameserver or end DNS client can double check the answer they get did in fact originate from your authoritative nameservers, without change along the path.

So it is not "DNSSEC between X and Y", it is "DNSSEC enabled in the zone" (or not).