Thanks Quirin, we´re working with Primekey to know what happened (we´ll generate a report once known) and will contact you if necessary to check that info you have.
Regarding the logs, the log message actually means that CAA either explicitly permitted the issuance, or implicitly permitted issuance (e.g. by the lack of a CAA record, that according to this email that´s no the case). We´re also checking if the DNS resolver server was caching the timeout failure and sent a SERVFAIL or similar response the second time, rather than letting the query time out again. But, as said, we´re still investigating the issue. Best regards Iñigo Barreira CEO StartCom CA Limited -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+inigo=startcomca....@lists.mozilla.org] On Behalf Of Quirin Scheitle via dev-security-policy Sent: martes, 12 de septiembre de 2017 20:30 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone Hi all, Thank you for the replies. I am glad that there is agreement these certificates should not have been issued. I am confident that the test behaved correctly, the last edit on the zone file was on Aug 31 17:24, and it reads: crossbear.org. 0 CAA 0 issue ";" So even if requests would somehow have gotten through the iptables rule dropping them, it would definitely not have gotten a permitting record. I also have full pcaps from both name servers serving this domain and can confirm that not a single query response was sent to any server on September 8th and 9th. crossbear.net is a different domain with a different configuration, it is unrelated to this issue. Inigo, I am very happy to debug this in detail offline -- I have plenty of records and data to assist debugging. Kind regards Quirin _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy