[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Re: Google DNS fails to resolve CAA for obsproject.com

On Tuesday, January 2, 2018 at 10:35:02 AM UTC-5, r1ch wrote:
I recently deployed CAA on obsproject.com using Cloudflare. It's been over a week and the CAA record shows up fine using any number of public tools, but Google DNS cannot resolve it both with and without DNSSEC.

This does appear to be visible now at https://dns.google.com/query?name=obsproject.com&type=CAA and using UDP queries via `dig CAA obsproject.com @`.
I've tried using the cache purge tool, but it doesn't support purging CAA records, and reports "Unexpected error! Please <a href="" href="https://code.google.com/a/google.com/p/public-dns/issues/list" target="_blank" rel="nofollow" _onmousedown_="this.href="" true;" _onclick_="this.href='https://code.google.com/a/google.com/p/public-dns/issues/list';return true;">https://code.google.com/a/google.com/p/public-dns/issues/list">submit us an issue</a>." when trying to purge any other record type.

The unexpected error problems (https://issuetracker.google.com/issues/70826798) have been fixed, but flushing the cache of CAA records is explicitly not supported, as it could be used in combination with a cache poisoning attack. Given the security sensitive nature of CAA records (and the fact that most of them are in domains that are not DNSSEC-signed) the limited benefit (most CAs, like letsencrypt.org and others, do not use Google Public DNS in any case) didn't seem to justify adding this.

I created https://issuetracker.google.com/issues/73183199 as a feature request for adding CAA flush support for DNSSEC-signed domains, but even in that case it might not be a good idea, given the number of recent DNSSEC vulnerabilities involving the ability to forge NODATA replies that pass DNSSEC validation:


You received this message because you are subscribed to the Google
Groups "public-dns-discuss" group.
To post to this group, send email to public-dns-discuss AT googlegroups.com
To unsubscribe from this group, send email to
public-dns-discuss+unsubscribe AT googlegroups.com
For more options, visit this group at
For more information on Google Public DNS, please visit
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
For more options, visit https://groups.google.com/d/optout.