We conduct controlled experiments to analyze whether CAs hone the CAA record that has come into effect on September 8, 2017.
We conduct 1 round of tests right at CAA record effectiveness (around September 9), and a round of re-tests a month later (October 10th).
UPDATE 2017-11-23: We have identified issuance anomalies based on historic DNS records Link
UPDATE 2017-11-15: DigiCert has done an extense review of our test case D2, and even identified 4 new certificates affected by the same problem. Bugzilla
We set up several test domains to check various corner cases of CAA deployment.
This list has some overlap with the nice work at https://caatestsuite.com/
Zone files can be found under zonefiles/.
Domain | Setup | Expected CA Behavior | FQDNs | Zone |
---|---|---|---|---|
D1 | Zone signed, CAA: 0 issue ";" | Refuse | crossbear.net, gazebear.net | gazebear.net |
D2 [1] | Zone signed, Timeout on CAA record | Refuse | crossbear.org, gazebear.org | gazebear.org |
D3 | Not signed, issue permitted, but critical flag and nonexistent CAA record set | Refuse | measr.net, gazebear.mobi | gazebear.mobi |
D4 | Not signed, timeout on CAA record | Retry, then Refuse or Issue | perenaster.com, gazebear.info | gazebear.info |
D5 | www --> D1 | Refuse | www.gazebear.online, www.gazebear5.com | www.gazebear.online, www.gazebear5.com |
D6 | www --> www.D1 | Refuse or Issue | www.gazebear.pet, www.gazebear6.com | (informational test) |
D7 | hash-ca, issue permissive | Issue | HASH.gazebear.site | (informational test) |
D8 | hash-ca, issue denied | Reject | HASH.gazebear.site | (informational test) |
For case D4, RFC and CAB Ballot permit a CA to issue. However, CAs may (and maybe should) be more conservative and decide to refuse to issue after a timeout no the CAA record.
[1] More explanation on D2: The zonefile contains an "issue ;" CAA record, and all CAA replies for that zone are dropped. As the zone is signed, even in case of a non-dropped reply, no CA would be authorized to issue.
The table header contains the expected result.
The first result indicates the result of the first test in September 2017, the second result the re-test in October 2017.
For example (Refused/Issued) indicates that a CA refused to issue in the first test in September, but issued in the re-test in October.
CA | D1 (R) | D2 (R) | D3 (R) | D4 (Any) | D5 (R) | D6 (Any) | D7 (I) / D8 (R) | Contact | |
---|---|---|---|---|---|---|---|---|---|
RapidSSL [1] (Symantec) | Refused/Refused | Refused/Issued (Zone, Bug) | Refused/Refused | Refused/Issued | -/Refused | --/Issued | Issued | 13.10.17, 11:43 CEST | |
Comodo InstantSSL [5] | Issued/Refused | Issued/Issued (Zone)/Issued [4] | Issued/Refused | Issued/Issued (Zone) | -/Refused | -/Issued | -/Issued | 13.10.17, 11:47 CEST | |
LetsEncrypt | Refused/Refused | Refused/Refused | Refused/Refused | Refused/Refused | -/Refused | -/Issued | -/Issued | No need | |
GoDaddy | Refused/Refused | Refused/Refused | Refused/Refused | Issued/Issued | -/Refused | -/Issued | D8: Refused | No need | |
Startcom | Refused/Pending | Issued/Issued(Bug) | Refused/Refused | Refused/Issued | -/Issued(Zone,Bug) | -/Issued | -/Issued | 16.10.17, 15:15 CEST | |
Buypass [2] | Refused/Refused | Issued/Refused | Refused/Refused (measr.net) | Cancelled/Issued | -/Refused | -/ Refused | D8: Refused | No need | |
Certum | Refused/Refused | Issued/Refused | Refused/Issued (Zone,Bug) | Issued/Issued | -/Issued (Zone, Bug) | -/Issued | -/Issued | 16.10.17, 14:16 CEST | |
Sum | 1/0 | 4/3 | 1/1 | 3/6 | -/2 | -/6 | informational | ||
Digicert | Refused/Refused | -/Refused | -/Refused | -/Issued | -/Refused | -/Issued | -/Issued | No need | |
Network Solution [3] | Pending/- | -- | -- | -- | |||||
AlphaSSL (GlobalSign) | -/Refused | -/Refused | -/Refused | Issued | -/Refused | -/Issued | -/D8: Refused | No need | |
SSL.com [5] (Comodo Brand) | -/Issued(Zone,Bug) | -/Issued | -/Pending | -/Issued | -/Pending | -/Issued | -/Issued | ||
Thawte Trial (Symantec) | -/Refused | -/Issued | -/Refused | -/Issued | -/Refused | -/Issued | -/Issued | not CT compatible | |
Symantec | -/Refused | -/Refused | -/Refused | -/Issued | -/Refused | -/Issued | -/Issued | No need | |
GeoTrust (Symantec) | -/Refused | -/Issued | -/Pending | -/Issued | -/Refused | -/Issued | -/tested above | ||
SSL.com Basic | -/Refused | -/Issued | -/ | -/ | -/ | -/ | -/ | Comodo reseller |
[1] Other Symantec brands with same backend as RapidSSL not tested individually. FIrst refusal might have been due to missing locality in CSR, we validated second-round CSRs using this checker
[2] First test for D4 cancelled after 2 days in pending, likely in wake of our bug report for D2.
[3] Due to the high cost of certificates and lengthy validation process, we only tested the basic case for DigiCert and Network Solutions.
[4] Comodo instantly reacted to our report and changed their system behaviour. An immediate re-test led to issuance 2 days later. Comodo then stated that they had to revert back to the old behavior for operational reasons.
[5] Though SSL.com delivers Comodo certificates and uses the comodo backend, its observable behaviour differed.
We will update this page as more information becomes available. You are very welcome to contact us through email/phone as listed on https://www.net.in.tum.de/members/scheitle/
Further information and opt-out contacts are given under https://net.in.tum.de/projects/gino/
RapidSSL/GeoTrust/Symantec/Thawte Trial Certificates