How to test CAA & iodef notification functionality

catharsis · April 18, 2021, 3:08pm

I have a LetsEncrypt certificate for my domains however, as a test, I've temporarily modified my CAA records for one domain to try to block LetsEncrypt from issuing certificates for the domain; I'm interested in verifying that certificate issuance will actually be blocked and that I get an e-mail notification to the address I specified in the iodef record.

Temporary CAA configuration for the domain (redacting actual domain name for privacy):

$ host -t caa [REDACTED].com
[REDACTED].com has CAA record 0 iodef "mailto:certfuckery@[REDACTED].com"
[REDACTED].com has CAA record 0 issue "nonexistentdomain.nul"

(Note: there are no CAA records for any subdomains)

With this configuration, LetsEncrypt (or anybody else) should refuse to issue a certificate for the domain and send a notice to the specified e-mail, right?

First thing I tried was a dry-run renewal of my existing certificate, and it went through successfully. (Not sure if the dry-run environment even checks CAA?)

Then I tried a force-renewal of my existing certificate, and it still went through

Then I requested a new certificate for a subdomain of my domain, and it went through as well.

Why are these not being blocked? Do I need to wait some period of time for trust to expire?

I do use Cloudflare for my DNS provider and I'm aware that if a certain feature if turned on, they automatically add several CAA records (including one for LetsEncrypt), however, I've turned that feature off and as far as I can tell the old CAA records are no longer cached anywhere.

JuergenAuer · April 18, 2021, 3:33pm

Hi @catharsis

as I know, iodef isn't implemented.

PS:

If you have questions, your domain name is required.

petercooperjr · April 18, 2021, 4:03pm

CAA is checked in staging, and you should be able to do your testing there. I just ran a test myself and got the expected urn:ietf:params:acme:error:caa error.

I think CAA results can be cached by the CA for up to 8 hours, though, so if you're doing lots of testing on the same domain name you may want to keep that in mind.

Let's Encrypt doesn't send iodef emails on failed issuance due to CAA. (Though of course, what you actually care about is what the CAs that you don't use do on attempted issuance, since that's what CAA is supposed to mitigate. I don't know how common iodef support is in the industry at large.)

catharsis · April 18, 2021, 5:01pm

I tried it again after a few hours and I'm now getting the expected "CAA record prevents issuance" behavior. As per above, no iodef notification e-mail but ah well life goes on. Hopefully it will become more widely adopted eventually.

system · May 18, 2021, 5:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate issued despite CAA record Issuance Tech	6	1727	April 28, 2022
CAA iodef support needed Feature Requests	19	1201	December 7, 2023
CAA & certificate issuance problem with a previously working setup Help	5	585	July 6, 2024
What is current industry-standard support of CAA iodef? Issuance Policy	5	1458	May 19, 2021
CAA exception notifications don't mention the failing domain Feature Requests	18	4041	September 7, 2017

How to test CAA & iodef notification functionality

Related topics