Public Suffix List CAA issue(s)

Earlier, i scanned the full TLD list to see if any more of them didn’t support CAA, similar to the situation with .sr. (Doing roughly "dig cOm caa" and so forth.) There were no other broken TLDs.

Now i’ve done the same thing with the entire Public Suffix List.

I used:

• zdns
• dig
• Unbound 1.5.8 with a similar configuration to unboundtest.com. (I enabled caching.)
• the Public Suffix List
• two Python scripts for processing it
• jq
• sed

For the Public Suffix List, i removed !example.com entries and treated *.example.com as example.com.

Limitations: I checked from one location, repeatedly, over a short period of time. I didn’t check for issues with subdomains.

With that excessive introduction, i found two public suffixes with CAA issues:

mil.no
sr

mil.no is, yes, the Norwegian military. They have less than 20 non-expired certificates in CT, from several CAs, none of which are Let’s Encrypt. (crt.sh)

I found 37 other public suffixes that were broken for A, CAA and NS, suggesting wider and irrelevant problems. (DNSSEC, 0x20, routing issues, etc.) I’ll paste that list at the bottom. I didn’t check if any of them are in use.

So… except for .sr, which we already knew about, probably not bad.

mil.ac
res.aero
gov.as
com.bm
edu.bm
net.bm
org.bm
ar.com
hu.com
kr.com
logoip.com
qc.com
uy.com
mycd.eu
user.party.eus
tt.im
trentino-suedtirol.it
asso.km
per.la
gov.mr
louvre.museum
xn--h1aegh.museum
biz.mv
il.eu.org
i.ph
mil.rw
mil.sh
consulado.st
edu.st
embaixada.st
mil.st
net.st
store.st
test.tj
cc.id.us
cc.wa.us
mil.zw

(cc @jsha)

Edit:

$ dig +short mil.no ns
ns4.eonisp.net.
ns5.eonisp.net.
ns6.eonisp.net.

$ dig +norecurse mil.no caa @ns5.eonisp.net.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse mil.no caa @ns5.eonisp.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54228
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mil.no.                                IN      CAA

;; Query time: 111 msec
;; SERVER: 217.18.205.137#53(217.18.205.137)
;; WHEN: Wed Aug 09 08:59:04 UTC 2017
;; MSG SIZE  rcvd: 24

Yep, authoritative nameservers return SERVFAIL.

version.bind returns an invalid (class IN) but informative response of “Served by POWERDNS 2.9.22 $Id: packethandler.cc 1321 2008-12-06 19:44:36Z ahu $” and i hope i don’t get arrested by NATO…

Thanks for doing this test! That’s a great public service.

Does anyone have a practical way to report this to the .no NIC?

Any chance contacting one of the other CAs would work? Comodo and DigiCert (and the other CAs used less recently) must have someone’s email address on file, but one department’s SSL person may have no idea how to contact the national DNS team…

mil.rw can be struck from the “down for A/CAA/NS” list. Today it works.

Nothing else appears to have improved.

mil.rw

Thanks for the update! If you want to run those tests in cron, it would be useful. I suspect that .sr also has good days and bad days, since it must have succeeded when I ran the scan that generated the exception list.

One hypothesis we’ve been kicking around is that some networks have DDoS scrubbing appliances that are enabled only some of the time, and those appliances misidentify and drop the CAA queries.

In a new category, one public suffix is sort of broken. (It was probably broken in the same way the first time i looked, but i dismissed it as an “random temporary issue” false positive.)

ba.gov.br

2/4 of the zone’s nameservers do not respond to CAA queries,

Worse, only those two are listed in the delegation.

Depending on the DNS implementation, it may always fail (Google Public DNS), always succeed (QNAME minimisation, probably), or sometimes both (Unbound).

$ digr ba.gov.br @b.dns.br

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse ba.gov.br @b.dns.br
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39954
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ba.gov.br.                     IN      A

;; AUTHORITY SECTION:
ba.gov.br.              86400   IN      NS      cpu0034.ba.gov.br.
ba.gov.br.              86400   IN      NS      cpu0020.prodeb.gov.br.

;; ADDITIONAL SECTION:
cpu0020.prodeb.gov.br.  86400   IN      A       200.187.60.85
cpu0034.ba.gov.br.      86400   IN      A       200.187.60.34

;; Query time: 112 msec
;; SERVER: 200.189.41.10#53(200.189.41.10)
;; WHEN: Fri Aug 11 07:36:52 UTC 2017
;; MSG SIZE  rcvd: 121

$ dig ba.gov.br ns

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ba.gov.br ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7142
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ba.gov.br.                     IN      NS

;; ANSWER SECTION:
ba.gov.br.              300     IN      NS      ns2.pop-ba.rnp.br.
ba.gov.br.              300     IN      NS      cpu0020.prodeb.gov.br.
ba.gov.br.              300     IN      NS      cpu0034.ba.gov.br.
ba.gov.br.              300     IN      NS      ns1.pop-ba.rnp.br.

;; ADDITIONAL SECTION:
cpu0034.ba.gov.br.      300     IN      A       200.187.60.34

;; Query time: 247 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Aug 11 07:37:18 UTC 2017
;; MSG SIZE  rcvd: 152

According to version.bind, the bad nameservers are running “[secured]” and the good nameservers are running “[SECURED]”.

The public suffix has 274 unexpired Let’s Encrypt certificates, issued as recently as yesterday, and a similar number in the CT logs from other CAs.

None of them are on your SERVFAIL list, so perhaps it’s new, intermittent, regional, or the Let’s Encrypt resolvers always try all 4 nameservers.

https://crt.sh/?q=%ba.gov.br
https://www.google.com/transparencyreport/https/ct/?hl=en#domain=ba.gov.br&incl_exp=false&incl_sub=true

There’s a user on this forum was the one who finally succeeded in getting the Brazilian government subdomains on the PSL (which was a huge service to local government employees who wanted to use Let’s Encrypt). Maybe he can help.

But first, I just sent a note of my own in Portuguese to PRODEB asking if I can talk to someone who’s involved in running their DNS servers.

Update:

ba.gov.br
gov.mr
mil.no
sr

ba.gov.br’s status has partly changed: They removed the two good nameservers from the authoritative NS records! So now it’s all broken instead of just mostly broken.

mil.no and sr have not started working.

gov.mr (government of Mauritania) seems to be a new problem. Not sure everything that’s wrong with the domain, and some of it comes and goes (though CAA never works), but mostly there are bad referrals.

http://dnsviz.net/d/gov.mr/dnssec/

$ dig +short gov.mr ns
dns.mauritania.mr.
ns.univ-nkc.mr.

$ digr gov.mr caa @dns.mauritania.mr

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse gov.mr caa @dns.mauritania.mr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1145
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;gov.mr.                                IN      CAA

;; AUTHORITY SECTION:
.                       3600    IN      NS      d.root-servers.net.
.                       3600    IN      NS      j.root-servers.net.
.                       3600    IN      NS      l.root-servers.net.
.                       3600    IN      NS      c.root-servers.net.
.                       3600    IN      NS      g.root-servers.net.
.                       3600    IN      NS      e.root-servers.net.   
.                       3600    IN      NS      m.root-servers.net.
.                       3600    IN      NS      f.root-servers.net.
.                       3600    IN      NS      h.root-servers.net.
.                       3600    IN      NS      k.root-servers.net.
.                       3600    IN      NS      b.root-servers.net.
.                       3600    IN      NS      i.root-servers.net.
.                       3600    IN      NS      a.root-servers.net.

;; ADDITIONAL SECTION:
d.root-servers.net.     3600    IN      A       128.8.10.90
j.root-servers.net.     3600    IN      A       192.58.128.30
l.root-servers.net.     3600    IN      A       199.7.83.42
c.root-servers.net.     3600    IN      A       192.33.4.12
g.root-servers.net.     3600    IN      A       192.112.36.4
e.root-servers.net.     3600    IN      A       192.203.230.10
m.root-servers.net.     3600    IN      A       202.12.27.33
f.root-servers.net.     3600    IN      A       192.5.5.241
h.root-servers.net.     3600    IN      A       128.63.2.53
k.root-servers.net.     3600    IN      A       193.0.14.129
b.root-servers.net.     3600    IN      A       192.228.79.201
i.root-servers.net.     3600    IN      A       192.36.148.17
a.root-servers.net.     3600    IN      A       198.41.0.4

;; Query time: 170 msec
;; SERVER: 82.151.65.66#53(82.151.65.66)
;; WHEN: Wed Aug 30 20:31:25 UTC 2017
;; MSG SIZE  rcvd: 658

$ digr gov.mr caa @ns.univ-nkc.mr

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse gov.mr caa @ns.univ-nkc.mr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26843
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gov.mr.                                IN      CAA

;; AUTHORITY SECTION:
gov.mr.                 604800  IN      NS      ns.univ-nkc.mr.
gov.mr.                 604800  IN      NS      dns.mauritania.mr.

;; ADDITIONAL SECTION:
ns.univ-nkc.mr.         86400   IN      A       82.151.64.1
dns.mauritania.mr.      604800  IN      A       82.151.65.66 

;; Query time: 187 msec
;; SERVER: 82.151.64.1#53(82.151.64.1)
;; WHEN: Wed Aug 30 20:31:58 UTC 2017
;; MSG SIZE  rcvd: 122

Edit:

The “broken for A/CAA/NS” public suffix list has probably changed but i don’t look closely at it.

All of the new public suffixes added since my first post are fine.

I didn't get any reply from PRODEB. We have quite a few certificates for this domain, so I think that's going to be a problem.

I'm happy to try something else, but I'm not sure what.

I'm waiting to hear back from sr's DNS server vendor, whom I got a technical contact with yesterday; see

for more details.

No CA has ever issued a publicly-disclosed certificate for gov.mr so this might not seem like a priority for them. Maybe they'll discover the problem when they eventually try to get their first certificate?

As for .mil.no, it looks like they're overwhelmingly (though not completely) DigiCert at the moment, so I've just asked DigiCert to get in touch if they have some channel.

PRODEB has an ombudsman (ouvidoria) to help "citizens" interact with the state government. While I'm not a citizen, I just sent the ombudsman office a long note about this problem along with a plea for them to help it get to the right place... which feels like something an ombudsman might in principle be able to do.

I have a further last-ditch idea, which is to write with the same information directly to their subdomain registrar service, which is meant for local government entities in Bahia. However, if that's entirely clerical and doesn't have a tech support function, they might not have any idea how to deal with what's essentially a tech support request (from a non-customer!).

Brief updates on everything but Mauritania:

I sent a bunch of technical details which my contact was supposedly going to forward to a responsible person inside the vendor's organization. I can request an update on this next week. (Per the other thread, the registrar is extremely aware of the problem but needs a fix from the vendor.)

DigiCert said they would try to get in touch with someone there.

I'll do this next week if I don't hear back from the ombudsman's office.

BTW, in your communication with the .sr support team, maybe you should suggest that they update the technical and administrative contacts in whois, since emailing those people didn't seem to get a reply.

Good idea, I’ve just pointed this out to them.

Update: No changes since the other day.

Current "broken for both CAA and NS" list:

mil.ac
res.aero
gov.as
com.bm
edu.bm
net.bm
org.bm
ar.com
hu.com
kr.com
no.com
qc.com
uy.com
tt.im
trentino-suedtirol.it
valdaosta.it
asso.km
per.la
gov.mg
geelvinck.museum
louvre.museum
xn--h1aegh.museum
biz.mv
i.ph
mil.sh
consulado.st
edu.st
embaixada.st
mil.st
net.st
store.st
test.tj
cc.id.us
cc.wa.us
mil.zw

(I didn't check A this time.)

I wrote to the ba.gov.br subdomain registration service today with the same information that I sent to the ombudsman's office last week.

No or few changes to the "broken CAA/NS" list. (To be specific, i filtered transient failures that changed, but didn't check if any "broken the other day" suffixes were transient failures today.)

Update:

I didn’t do a real scan, just spot checked the bad public suffixes.

gov.mr works!

$ dig gov.mr caa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> gov.mr caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44599
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gov.mr.                                IN      CAA

;; AUTHORITY SECTION:
gov.mr.                 3600    IN      SOA     dns.mauritania.mr. hostmaster.rim.mr. 2016071722 900 600 86400 3600

;; Query time: 1321 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Sep 07 00:01:40 UTC 2017
;; MSG SIZE  rcvd: 101

https://unboundtest.com/m/CAA/gov.mr/EFRCE2TO

The other 3 public suffixes aren’t better.

ba.gov.br
mil.no
sr

Well, I sent a follow-up just now to the sr vendor and also a follow-up to the registrar.

Update:

I still haven’t done another real scan, but i did another spot check.

gov.mr stopped working again.

https://unboundtest.com/m/CAA/gov.mr/F6PMH2AV

ba.gov.br
gov.mr
mil.no
sr

I just added some seemingly bad news on Infoblox at