How to test CAA & iodef notification functionality

I have a LetsEncrypt certificate for my domains however, as a test, I've temporarily modified my CAA records for one domain to try to block LetsEncrypt from issuing certificates for the domain; I'm interested in verifying that certificate issuance will actually be blocked and that I get an e-mail notification to the address I specified in the iodef record.

Temporary CAA configuration for the domain (redacting actual domain name for privacy):

$ host -t caa [REDACTED].com
[REDACTED].com has CAA record 0 iodef "mailto:certfuckery@[REDACTED].com"
[REDACTED].com has CAA record 0 issue "nonexistentdomain.nul"

(Note: there are no CAA records for any subdomains)

With this configuration, LetsEncrypt (or anybody else) should refuse to issue a certificate for the domain and send a notice to the specified e-mail, right?

First thing I tried was a dry-run renewal of my existing certificate, and it went through successfully. (Not sure if the dry-run environment even checks CAA?)

Then I tried a force-renewal of my existing certificate, and it still went through

Then I requested a new certificate for a subdomain of my domain, and it went through as well.

Why are these not being blocked? Do I need to wait some period of time for trust to expire?

I do use Cloudflare for my DNS provider and I'm aware that if a certain feature if turned on, they automatically add several CAA records (including one for LetsEncrypt), however, I've turned that feature off and as far as I can tell the old CAA records are no longer cached anywhere.

Hi @catharsis

as I know, iodef isn't implemented.

PS:

If you have questions, your domain name is required.

CAA is checked in staging, and you should be able to do your testing there. I just ran a test myself and got the expected urn:ietf:params:acme:error:caa error.

I think CAA results can be cached by the CA for up to 8 hours, though, so if you're doing lots of testing on the same domain name you may want to keep that in mind.

Let's Encrypt doesn't send iodef emails on failed issuance due to CAA. (Though of course, what you actually care about is what the CAs that you don't use do on attempted issuance, since that's what CAA is supposed to mitigate. I don't know how common iodef support is in the industry at large.)

I tried it again after a few hours and I'm now getting the expected "CAA record prevents issuance" behavior. As per above, no iodef notification e-mail but ah well life goes on. Hopefully it will become more widely adopted eventually.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.