[cabfpub] Two CAA questions

Ryan Sleevi sleevi at google.com
Fri Aug 18 07:02:03 MST 2017


On Fri, Aug 18, 2017 at 7:25 AM, Gervase Markham via Public <
public at cabforum.org> wrote:

> Is anyone able to explain why this scenario is at all common? Why would
> the authoritative nameservers for a domain refuse to answer queries, if
> the owner of the domain wanted the domain to work at all?
>

Isn't that two questions? That is, can someone explain this scenario, and
how common is it? :)

I think https://github.com/dns-violations/dns-violations is a useful
collection of various ways that vendors have improperly implemented DNS and
could result in affecting (a limited number of sites, customers of a
particular DNS host / CDN).

I'm not aware of any publicly available data showing prevalence or that it
is common, especially in the context of CA issuance, and so I would think
it would be a wonderful contribution to the Internet community if CAs are
seeing such issues, that they could publish information about it.

I know Let's Encrypt has investigated some issues, such as
https://community.letsencrypt.org/t/caa-servfails-from-namebrightdns-com/38748
and https://community.letsencrypt.org/t/public-suffix-list-caa-issue-s/39802
, but these are indicative of gross server misconfigurations, and so
failing to issue a certificate is a correct response for a misconfiguration
that is indistinguishable from an attack.

As CAs often remark about OCSP, the most secure solution is to fail closed
when a service fails. Given that CAs have direct lines with the customers
affected by such service failures - and thus, the means to remedy the issue
- this does not seem at all an onerous request.

As you said, and as Phillip mentioned, this is working as intended and
designed, and important for security, so if there is more data that can be
shared to help understand these concerns, that'd be useful, but otherwise
it doesn't seem necessary to change anything.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20170818/e3334211/attachment.html>


More information about the Public mailing list