search

ssllabs / ssllabs-scan

A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.
https://www.ssllabs.com/projects/ssllabs-apis/
Apache License 2.0
1.7k stars 241 forks source link

CAA of CNAME not found #665

Open alexhass opened 5 years ago

alexhass commented 5 years ago

Issue:

CAA not read from CNAME domain.

Repro:

  1. In domain example.com I configured CAA: example.com. CAA 128 issue "letsencrypt.org"
  2. A record foo.mydomain.net.example.com has beed added.
  3. mydomain.net domain has no CAA DNS entries configured.
  4. Than we have a host named foo.mydomain.net CNAME foo.mydomain.net.example.com
  5. Checking www.example.com shows that CAA exists as configured.
  6. Checking foo.mydomain.net.example.com shows that CAA exists as configured.
  7. Now I check with SSL Labs the SSL configuration of foo.mydomain.net and it tells me CAA does not exist! This is not correct.

Per https://letsencrypt.org/docs/caa/ this should work, but it does not.

CAA validation follows CNAMEs, like all other DNS requests. If www.community.example.com is a CNAME to web1.example.net, the CA will first request CAA records for www.community.example.com, then seeing that there is a CNAME for that domain name instead of CAA records, will request CAA records for web1.example.net instead. Note that if a domain name has a CNAME record, it is not allowed to have any other records according to the DNS standards.

Is this a known bug? Can you fix it, please?

naumanshah03 commented 5 years ago

Please share the domain names for us to investigate in private message at https://community.qualys.com/people/nshah

After the investigation, we will update about the status of it

alexhass commented 5 years ago

Have you been able to review the issue?

naumanshah03 commented 4 years ago

@alexhass can please connect with on personal message I have the domains that were shared by you. I'm not able to reproduce the issue so I would need your help on reproducing the scenario for the domains shared by you.

Regards, Nauman Shah

naumanshah03 commented 4 years ago

@alexhass

The domain name shared by you. For that domain name, I'm not able to replicate the issue. Can you help me with some tools or commands that will allow me to identify the CAA record?

Thanks and Regards, Nauman Shah

massar commented 3 years ago

Hi,

Similar case: main domain has a CAA record, but CNAMEd domain does not:

Hostname: idee.quickline.ch (which is hosted on cloudflare).

Given the domain with a CAA:

$ dig +short quickline.ch caa 0 iodef "mailto:ops@as15600.net" 0 issue "letsencrypt.org; validationmethods=dns-01" 0 issuewild "letsencrypt.org; validationmethods=dns-01"

The SSLLabs test claims that is the CAA record, which is false, as quickline.uservoice.com CAA should be checked, which has no policy.

CNAME:

$ dig +short idee.quickline.ch cname quickline.uservoice.com.

No CAA for the final domain:

$ dig +short quickline.uservoice.com. caa

$ dig +short uservoice.com. caa Expected: Report that there is no CAA (as that is the policy of the final domain).
massar commented 3 years ago

Additionally: SSLLabs gives an A+ at the moment for idee.quickline.ch, which has a SSL certificate issued by Cloudflare, .... thus if you think the policy of quickline.ch should be used, then that means that the Cloudflare issue is invalid.

Though... of course, the one checking the CAA record is normally the CA, and they might just ignore CAA; but I think it would be really good to have not a 'green CAA is great' but a "There is a CAA record, but the CA used for this certificate does not match the CAA that certificate'

Though... there are people who revoke the CAA record the moment they have issued the certificate. Hence, a mismatched CAA policy / CA from the cert should only raise a warning, as the certificate does work and the CAA might have been valid at the time of issue.