[cabf_validation] CAA - Require Queries to Authoritative NS
Wayne Thayer
wthayer at mozilla.com
Tue Jan 9 10:31:40 MST 2018
I just became aware of this CloudFlare blog on CAA implementation issues:
https://blog.cloudflare.com/caa-of-the-wild/
Much of what they describe are issues that we've discussed in the past, but
I don't recall this one:
*There’s an additional security gap in that neither the RFC nor the BR
indicate where the issuing CA should query for CAA records. It is
acceptable within the current standards to query any DNS recursor for these
records as well as the authoritative DNS provider for a domain. For
example, an issuing CA could query Google’s Public DNS or a DNS recursor
provided by their ISP for these responses. This enables compromised DNS
recursors or one run by a rogue operator to alter these responses, either
denying issuance or allowing issuance by a CA not approved by the domain
owner. The RFC and BR should be amended so that an issuing CA must always
query these records at the authoritative provider to close this gap.*
Some CAs are already doing this, so I propose we make it a requirement, at
least in the case where the CA is going to treat a lookup failure as
permission to issue.
Thanks,
Wayne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180109/c0631822/attachment.html>
More information about the Validation
mailing list