Closed Bug 1409859 Opened 2 years ago Closed 2 years ago

Startcom CAA Mis-Issuance: Lookup failure on DNSSEC-signed zone

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: quirin, Assigned: inigo)

Details

(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce:

I requested a certificate from StartCom for a test domain.
That test domain is DNSSEC-signed with a valid chain to the root. 
It has a "issue ;" CAA record, however the server is configured to not reply to CAA queries.
This results in a timeout for CAA queries.
As the zone is validly signed, the lookup failure MUST NOT be interpreted as permission to issue. 

This is stated in CAB Ballot 187:
"CAs are permitted to treat a record lookup failure as permission to issue if:
* the failure is outside the CA’s infrastructure;
* the lookup has been retried at least once; and
* the domain’s zone does not have a DNSSEC validation chain to the ICANN root.
"

Certificate: https://crt.sh/?id=229543202
DNS Zone setup: http://dnsviz.net/d/gazebear.org/Wd3l6g/dnssec/

I communicated this issue to Startcom on Oct 16, 15:15 CEST and have been in communication with them since then. However, a root cause could not be identified yet.

This is part of a larger CAA issuance experiment with more documentation under https://github.com/quirins/caa-test
Whiteboard: [ca-compliance]
Assignee: kwilson → inigo
Hi,

we installed latest EJBCA release, 6.10.0, a couple of weeks ago and checked again and looked like the error was fixed. We contacted Quirin again for a testing and just got a reply stating that according to him the errors have been solved. In any case, we´re still updating our systems because Primekey has just released, yesterday, a new patch for CAA, 6.10.0.1, in which all the CAA test suites have been checked handling all test cases correctly. 
We´ll update the system soon and will contact Quirin as well.


Regards
StartCom is exiting the CA business.

Gerv
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.