Hi,
just wanted to update that Certum has also issued on this domain:
https://crt.sh/?id=209378608
I have opened a support ticket, which has led to revocation but not a qualified
statement as to what happened yet.
Kind regards
Quirin
smime.p7s
Description: S/MIME cryptographic signature
:30
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone
Hi all,
Thank you for the replies. I am glad that there is agreement these
certificates should not have been issued.
I am confident that the test behaved correctly, the last edit
Hi all,
Thank you for the replies. I am glad that there is agreement these certificates
should not have been issued.
I am confident that the test behaved correctly, the last edit on the zone file
was on Aug 31 17:24, and it reads:
crossbear.org. 0 CAA 0 issue ";"
So even
To: Nick Lamb ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone
Ok, let me investigate this further, maybe I didn´t catch it rightly.
For the record, the certificate was revoked
Best regards
Iñigo Barreira
CEO
StartCom CA Limited
---
]
On Behalf Of Nick Lamb via dev-security-policy
Sent: martes, 12 de septiembre de 2017 12:26
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: (Mis)-Issuance on CAA Timeout in DNSSEC signed zone
On Tuesday, 12 September 2017 10:38:56 UTC+1, Inigo Barreira wrote:
> Futherm
On Tuesday, 12 September 2017 10:38:56 UTC+1, Inigo Barreira wrote:
> Futhermore, according to the logs, at the time of checking for a CAA record,
> there was none. The lookup was succesful and hence allowed the issuance.
Given that this contradicts the facts alleged in Quirin's tests and the
f
Hi
Buypass received the problem report at 2017-09-12 00:06 and started
investigating early this morning.
After investigating what happened we identified an error in our system solution
when we have a CAA RR lookup failure. In this case, the DNS CAA RR lookup timed
out several times and we mis
Hi Quirin,
I was going to reply to your email after investigating what happened, but since
you´ve posted here, I can share it.
I think most of the CAs are strugling with the DNSSEC interpretation or how to
solve some of the issues.
In our case, I can tell the following:
The DNSSEC checking is
8 matches
Mail list logo