[cabfpub] CAA records on opera.com

Rob Stradling rob.stradling at comodo.com
Fri Sep 20 10:32:06 UTC 2013


Hi Sigbjørn.

You're currently serving an "issue" record and an "issuewild" record, 
both for "digicert.com".

That "issuewild" record is redundant.

If there is no "issuewild" record present, the "issue" record(s) are 
applicable to both non-wildcards and wildcards.

(BTW, I've had this same conversation with Adam, and he's removed the 
"issuewild" record from google.com).

On 24/07/13 11:03, Sigbjørn Vik wrote:
> Hi,
>
> Opera is now serving CAA records for opera.com.
> http://dns-record-viewer.online-domain-tools.com seems to be one of few
> online tools which verifies CAA records.
>
> Comments from sysadmin after implementing CAA records:
>
> It turns out that there's very little CAA
> support in various authoritative DNS implementations:
>
> * BIND 10 has it idly in their ticket tracker:
>    http://bind10.isc.org/ticket/2512
> * ldns (used by Unbound) will have it in the as-of-yet unreleased
>    v1.6.17: http://www.nlnetlabs.nl/svn/ldns/trunk/Changelog
> * PowerDNS has no support (including in HEAD).
> * NSD has no support (including in trunk).
>
> To get this up we could either
> implement a simple DNS proxy/forwarder ourselves (not too hard), or
> see if the trunk ldns support can be made to work with Unbound, and
> then set up a simple Unbound instance that serves the CAA records,
> while forwarding other queries to the true resolvers in our network.
>
> I ended up adding CAA record support to the DNS toolkit we would use to
> implement it, but then found a better (and less crazy)
> way to implement it, by a small script generating the raw records, and
> adding those.
>
> Adding the records increased our
> authoritative nameserver's DNS response from an already juicy 458 bytes to
> supreme juicyness of 506 bytes (512 bytes is still somewhat of the limit,
> at the very least resource usage will increase when topping that).
>
> And besides, we've seen that before of course, and our TXT SPF record is
> the main offender here, but 506 byte responses is probably on the
> "winning" side when it comes to selecting authoritative DNS servers for
> DNS amplification attacks.
> Or spoken more generally: Maybe the CABForum should discuss
> how eager the community is to add a potential massive load of additional
> records to the root element of a zone/"domain".
>
> If you use more than one CA for signing "https" certs, this can quickly
> explode in size all on itself, without the help of SPF entries in the
> zone. I'd guess this needs to be discussed.
>

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
   3rd Floor, 26 Office Village, Exchange Quay,
   Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they are 
addressed.  If you have received this email in error please notify the 
sender by replying to the e-mail containing this attachment. Replies to 
this email may be monitored by COMODO for operational or business 
reasons. Whilst every endeavour is taken to ensure that e-mails are free 
from viruses, no liability can be accepted and the recipient is 
requested to use their own virus checking software.



More information about the Public mailing list