[cabfpub] CAA records on opera.com
Rob Stradling
rob.stradling at comodo.com
Fri Sep 20 03:32:06 MST 2013
Hi Sigbjørn.
You're currently serving an "issue" record and an "issuewild" record,
both for "digicert.com".
That "issuewild" record is redundant.
If there is no "issuewild" record present, the "issue" record(s) are
applicable to both non-wildcards and wildcards.
(BTW, I've had this same conversation with Adam, and he's removed the
"issuewild" record from google.com).
On 24/07/13 11:03, Sigbjørn Vik wrote:
> Hi,
>
> Opera is now serving CAA records for opera.com.
> http://dns-record-viewer.online-domain-tools.com seems to be one of few
> online tools which verifies CAA records.
>
> Comments from sysadmin after implementing CAA records:
>
> It turns out that there's very little CAA
> support in various authoritative DNS implementations:
>
> * BIND 10 has it idly in their ticket tracker:
> http://bind10.isc.org/ticket/2512
> * ldns (used by Unbound) will have it in the as-of-yet unreleased
> v1.6.17: http://www.nlnetlabs.nl/svn/ldns/trunk/Changelog
> * PowerDNS has no support (including in HEAD).
> * NSD has no support (including in trunk).
>
> To get this up we could either
> implement a simple DNS proxy/forwarder ourselves (not too hard), or
> see if the trunk ldns support can be made to work with Unbound, and
> then set up a simple Unbound instance that serves the CAA records,
> while forwarding other queries to the true resolvers in our network.
>
> I ended up adding CAA record support to the DNS toolkit we would use to
> implement it, but then found a better (and less crazy)
> way to implement it, by a small script generating the raw records, and
> adding those.
>
> Adding the records increased our
> authoritative nameserver's DNS response from an already juicy 458 bytes to
> supreme juicyness of 506 bytes (512 bytes is still somewhat of the limit,
> at the very least resource usage will increase when topping that).
>
> And besides, we've seen that before of course, and our TXT SPF record is
> the main offender here, but 506 byte responses is probably on the
> "winning" side when it comes to selecting authoritative DNS servers for
> DNS amplification attacks.
> Or spoken more generally: Maybe the CABForum should discuss
> how eager the community is to add a potential massive load of additional
> records to the root element of a zone/"domain".
>
> If you use more than one CA for signing "https" certs, this can quickly
> explode in size all on itself, without the help of SPF entries in the
> zone. I'd guess this needs to be discussed.
>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
More information about the Public
mailing list