CAA record suddenly failing for wildcard certificates

Osiris · January 29, 2023, 3:02pm

Well, the actual feature has been added to Boulder 4 years ago already: https://github.com/letsencrypt/boulder/pull/3716

So one can argue Boulder actually understood it, but choose to ignore it, as the feature was disabled up until December 2022.

The RFC does not forbid "understanding but ignoring" a critical feature I think.

That said, if I read the Boulder code correctly:

github.com

letsencrypt/boulder/blob/d9cb35c60c877cc432a568f7da01553dd79d6715/va/caa.go#L284-L340


      
          // parseCAARecord extracts the domain and parameters (if any) from a
          // issue/issuewild CAA record. This follows RFC 8659 Section 4.2 and Section 4.3
          // (https://www.rfc-editor.org/rfc/rfc8659.html#section-4). It returns the
          // domain name (which may be the empty string if the record forbids issuance)
          // and a tag-value map of CAA parameters, or a descriptive error if the record
          // is malformed.
          func parseCAARecord(caa *dns.CAA) (string, map[string]string, error) {
          	isWSP := func(r rune) bool {
          		return r == '\t' || r == ' '
          	}
          
          
	// Semi-colons (ASCII 0x3B) are prohibited from being specified in the
          	// parameter tag or value, hence we can simply split on semi-colons.
          	parts := strings.Split(caa.Value, ";")
          	domain := strings.TrimFunc(parts[0], isWSP)
          	paramList := parts[1:]
          	parameters := make(map[string]string)
          
          
	// Handle the case where a semi-colon is specified following the domain
          	// but no parameters are given.

This file has been truncated. show original

It does not actually check for issue/issuewild parameters except for the values it knows. And does not error out if it comes across an unknown parameter.

Topic		Replies	Views
Problem: How to setup DNS CAA Server	10	11224	May 30, 2019
[SOLVED] CAA failure renewing wildcard certificates Help	7	4832	June 17, 2018
Status 403: CAA record prevents issuance Help	3	3331	December 10, 2020
Domain validation failed, but CAA records are correct Help	4	1233	October 31, 2019
Certbot 2.7.2 / error for CAA Help	96	1444	December 4, 2023

CAA record suddenly failing for wildcard certificates

Related topics