[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Re: Option to flush cache for CAA RR Type



The German Telekom uses the website https://digwebinterface.com/ to verified CAA records, they only use the default resolver which is 8.8.4.4. Our certificate requests are always NOT DNSSEC domains.

The tip with the TTL is really good, sometimes it's the simplest solutions you do not come up with on your own. Thanks



On Friday, October 5, 2018 at 4:27:21 PM UTC+2, Alex Dupuy wrote:
Note that the option to flush CAA would only be present for DNSSEC signed zones (otherwise flushing a security-related record like CAA could be used to assist in a cache poisoning attack).

I am a bit surprised to see that Telekom uses Google Public DNS for this, since (for DNSSEC signed zones, at least) they need to verify the DNSSEC validity of the CAA response themselves (or use a secure protocol like DNS over HTTPS for their communications with Google Public DNS). If they are sending plain UDP to us and depending on the DNSSEC AD flag in our response, that is something that could be spoofed by anyone (quite easily for anyone who can see their queries to us).

If they are validating the DNSSEC, they presumably have a capable DNS resolver doing so, and could easily query authoritative name servers directly.

For domain administrators who are having this problem on a chronic basis, there is a simple solution, which is to reduce the TTL for the CAA record to something more reasonable, like one hour (3600).

--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dns-discuss AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/7454f1fb-5e7b-4806-9943-dc373c7c38c1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.