Hi Quirin, I was going to reply to your email after investigating what happened, but since you´ve posted here, I can share it.
I think most of the CAs are strugling with the DNSSEC interpretation or how to solve some of the issues. In our case, I can tell the following: The DNSSEC checking is optional, and at the time of the request we had it disabled so we didn´t check it. According to the logs, this cert was requested at 2017-09-09 11:44 GMT+8 and we enabled it a little bit later 2017-09-09 17:41 GMT+8. As we have had some other issues with the DNSSEC, we have disabled it again and are dealing with Primekey to have a better approach to this issue. Futhermore, according to the logs, at the time of checking for a CAA record, there was none. The lookup was succesful and hence allowed the issuance. Regarding to your question, I think you´re right and this certificate should have not been issued but it´s also true that having the DNSSEC checking optional, this can happen. Best regards Iñigo Barreira CEO StartCom CA Limited -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca....@lists.mozilla.org] On Behalf Of Quirin Scheitle via dev-security-policy Sent: martes, 12 de septiembre de 2017 0:24 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone Hi, inspired by the ballot paragraph [1], I set up a domain that is fully DNSSEC signed [2], but does not reply to CAA queries (timeout). I could obtain certificates for this domain from Buypass and Startcom [3]. Other CAs (RapidSSL, GeoTrust, LetsEncrypt) have refused to issue, and GoDaddy and Certum have been stuck in "Pending" for days and will likely not issue. Per my interpretation, and per the discussion in the other CAA/DNSSSEC thread, I believe those should not have been issued. I have reported this to the issuing CAs. What do you think? Kind regards Quirin [1] CAs are permitted to treat a record lookup failure as permission to issue if: the failure is outside the CA’s infrastructure; the lookup has been retried at least once; and the domain’s zone does not have a DNSSEC validation chain to the ICANN root. [2] https://dnssec-debugger.verisignlabs.com/crossbear.org [3] https://crt.sh/?q=crossbear.org _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
