On 09/09/17 10:21, Jeremy Rowley wrote: > Certificate 1 contains a single DNS identifier for > big.basic.caatestsuite.com <http://big.basic.caatestsuite.com> . This DNS > name has a CAA resource record set that is too large to fit within a single > DNS UDP packet, but small enough to fit within a DNS TCP packet. The only > CAA record containing an issue property is: > > big.basic.caatestsuite.com <http://big.basic.caatestsuite.com> . IN > CAA 0 issue "caatestsuite.com <http://caatestsuite.com> " > > Therefore, only caatestsuite.com <http://caatestsuite.com> is allowed to > issue for this identifier.
>From the discussion so far, I'd say that this one is clearly a misissuance, and needs treating as one. (I see this as a clever vuln, not as CA implementation incompetence.) The jury is still out on the CNAME and DNSSEC-based reports. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy