Closed Bug 1409859 Opened 5 years ago Closed 5 years ago

Startcom CAA Mis-Issuance: Lookup failure on DNSSEC-signed zone


(CA Program :: CA Certificate Compliance, task)

Not set


(Not tracked)



(Reporter: quirin, Assigned: inigo)


(Whiteboard: [ca-compliance])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce:

I requested a certificate from StartCom for a test domain.
That test domain is DNSSEC-signed with a valid chain to the root. 
It has a "issue ;" CAA record, however the server is configured to not reply to CAA queries.
This results in a timeout for CAA queries.
As the zone is validly signed, the lookup failure MUST NOT be interpreted as permission to issue. 

This is stated in CAB Ballot 187:
"CAs are permitted to treat a record lookup failure as permission to issue if:
* the failure is outside the CA’s infrastructure;
* the lookup has been retried at least once; and
* the domain’s zone does not have a DNSSEC validation chain to the ICANN root.

DNS Zone setup:

I communicated this issue to Startcom on Oct 16, 15:15 CEST and have been in communication with them since then. However, a root cause could not be identified yet.

This is part of a larger CAA issuance experiment with more documentation under
Whiteboard: [ca-compliance]
Assignee: kwilson → inigo

we installed latest EJBCA release, 6.10.0, a couple of weeks ago and checked again and looked like the error was fixed. We contacted Quirin again for a testing and just got a reply stating that according to him the errors have been solved. In any case, we´re still updating our systems because Primekey has just released, yesterday, a new patch for CAA,, in which all the CAA test suites have been checked handling all test cases correctly. 
We´ll update the system soon and will contact Quirin as well.

StartCom is exiting the CA business.

Closed: 5 years ago
Resolution: --- → INVALID
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.