Hi Buypass received the problem report at 2017-09-12 00:06 and started investigating early this morning.
After investigating what happened we identified an error in our system solution when we have a CAA RR lookup failure. In this case, the DNS CAA RR lookup timed out several times and we mis-interpreted this as permission to issue, without verifying the that the domain was DNSSEC signed. This is not permitted according to BR (see ballot paragraph [1]) and we will fix this as soon as possible. We agree that this certificate should not have been issued and we have revoked the certificate. Regards Mads -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+mads.henriksveen=buypass...@lists.mozilla.org] On Behalf Of Quirin Scheitle via dev-security-policy Sent: tirsdag 12. september 2017 00:24 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone Hi, inspired by the ballot paragraph [1], I set up a domain that is fully DNSSEC signed [2], but does not reply to CAA queries (timeout). I could obtain certificates for this domain from Buypass and Startcom [3]. Other CAs (RapidSSL, GeoTrust, LetsEncrypt) have refused to issue, and GoDaddy and Certum have been stuck in "Pending" for days and will likely not issue. Per my interpretation, and per the discussion in the other CAA/DNSSSEC thread, I believe those should not have been issued. I have reported this to the issuing CAs. What do you think? Kind regards Quirin [1] CAs are permitted to treat a record lookup failure as permission to issue if: the failure is outside the CA’s infrastructure; the lookup has been retried at least once; and the domain’s zone does not have a DNSSEC validation chain to the ICANN root. [2] https://dnssec-debugger.verisignlabs.com/crossbear.org [3] https://crt.sh/?q=crossbear.org _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy