Hi Jeremy, thank you for sharing that log! The associated bug is here: https://bugzilla.mozilla.org/show_bug.cgi?id=1420861
I do not know how to parse all the details in the log, but I guess the line > 2017-09-13 05:25:09.117 [pool-3058692-thread-1] [] INFO > c.s.s.r.service.CAAV2CheckService - CAAResponse: CAAMatchCode : [32] : > CAAInput : [trnava-vuc.sk] : CAAMatchMessage : [CAA record not found] : > CAADNSRecords : [ ] means that you have seen an NODATA (empty) reply at 2017-09-13 05:25:09 in an unknown(but at this point irrelevant) timezone. Similar to the GlobalSign discussion, it is well possible that the domain briefly disabled their CAA records when you did the check — and re-enabled them later. A quirk in the lookup process would probably trigger some kind of timeout/unreachable log. The consistency displayed in our scans [1] and the fact that this error class (wildcard/non-wildcard) seems to have affected several cases made this case look suspicious, so I had raised it. I am very happy to accept your reply and classify this as a false positive. I also thinks it is a very positive example that CAs can and do provide log excerpts for such cases. Regarding the “CAA Transparency” discussion: Yes, I would welcome this and be happy to support designing it. I do not think it requires DNSSEC, just storing the relevant DNS replies in wire format by the CAs would be a great start. Kind regards Quirin [1] 2017-09-12:trnava-vuc.sk. 86400 IN CAA 0 issuewild "thawte.com" 2017-09-12:trnava-vuc.sk. 86400 IN CAA 0 issue ";" 2017-09-13:trnava-vuc.sk. 86400 IN CAA 0 issuewild "thawte.com" 2017-09-13:trnava-vuc.sk. 86400 IN CAA 0 issue ";" 2017-09-14:trnava-vuc.sk. 86360 IN CAA 0 issuewild "thawte.com" 2017-09-14:trnava-vuc.sk. 86360 IN CAA 0 issue ";" > On 29. Nov 2017, at 21:44, Jeremy Rowley via dev-security-policy > <[email protected]> wrote: > > The Thawte records aren't showing any CAA record preventing wildcards either. > > Here's the Thawte CAA record logs for the domain: > > 2017-09-13 05:25:09.117 [pool-3058695-thread-1] [] INFO > c.s.s.r.service.CAAV2CheckService - Lookup domain: trnava-vuc.sk type: 257 > result: 4 lookupTimeout: 500 > 2017-09-13 05:25:09.117 [pool-3058693-thread-1] [] INFO > c.s.s.r.service.CAAV2CheckService - Looking for alias for: trnava-vuc.sk > 2017-09-13 05:25:09.117 [pool-3058696-thread-1] [] INFO > c.s.s.r.service.CAAV2CheckService - Lookup domain: trnava-vuc.sk type: 5 > result: 4 lookupTimeout: 750 > 2017-09-13 05:25:09.117 [pool-3058692-thread-1] [] INFO > c.s.s.r.service.CAAV2CheckService - CAAResponse: CAAMatchCode : [32] : > CAAInput : [trnava-vuc.sk] : CAAMatchMessage : [CAA record not found] : > CAADNSRecords : [ ] > 2017-09-13 05:25:09.118 [pool-3058691-thread-1] [] INFO > c.s.s.r.service.CAAV2CheckService - Time taken in seconds for CAA check of > trnava-vuc.sk is: 1 > 2017-09-13 05:25:09.118 [pool-3058693-thread-1] [] INFO > c.s.s.r.service.CAAV2CheckService - CAAResponse: CAAMatchCode : [32] : > CAAInput : [*.trnava-vuc.sk] : CAAMatchMessage : [CAA record not found] : > CAADNSRecords : [ ] > 2017-09-13 05:25:09.118 [pool-3058691-thread-2] [] INFO > c.s.s.r.service.CAAV2CheckService - Time taken in seconds for CAA check of > *.trnava-vuc.sk is: 2
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
