Question about wildcard certs

AliceWonder32 · March 3, 2019, 3:26pm

Hi, I’m working on a project to make some zones with various intentional DNSSEC failures in order to learn how to properly test for DNSSEC validation support in Python (working on a project where a working DNSSEC enforcing resolver running on localhost is important).

While not absolutely necessary, I’d like to run corresponding websites so people can test their browsers.

With DNSSEC failures, Let’s Encrypt won’t be able to verify the IP address but the parent zone will NOT have DNSSEC errors and is under my control.

So in theory, could I get a L.E, wilcard for *.dnnsec.icu and have it work where the subdomains in the * is actually in a delegated child zone - or is that against certificate issuance policy for wildcard certificates?

gitlab.com

Pipfrosch/smtp-secure-relay-policy/blob/master/DNSSEC.ICU.md

DNSSEC.ICU
==========

DNSSEC.ICU is a zone I registered for the purpose of testing the capabilities
of the local DNS resolver, important as the security of the policy records will
depend upon proper DNSSEC validation.

The zone delegated several child zones that will have various types of
intentional errors that only a properly validating resolver will catch. This is
still being worked on.

Some of child zones will have several different types of `TLSA` records too so
that I can learn how to code checks for various different types of errors that
occur in the record itself, but the records will not correspond to actual X.509
certificates. The `TLSA` records will be for sub-domains within the zones and
will not even have corresponding `A`/`AAAA` records.

All zones will use `ECDSAP384SHA384` (Algorithm 14) with `DS` records in both
`SHA-256` (Hash Algo 2) and `SHA-384` (Hash Algo 4).

This file has been truncated. show original

That lists what I am doing with the delegated zones.

mnordhoff · March 3, 2019, 3:29pm

I haven’t read the GitLab yet, but that sounds fine.

Keep in mind that Let’s Encrypt has to be able to resolve _acme-challenge.dnssec.icu's TXT record set and dnssec.icu's CAA record set.

But it’s fine if other subdomains don’t work.

The CA software doesn’t explicitly check for, and Let’s Encrypt doesn’t have a policy preventing, subdomain delegations.

(April edit: s/GitHub/GitLab/.)

AliceWonder32 · March 3, 2019, 3:45pm

Thanks, I didn’t think there would be a way for certbot to check to see if delegations exist but if there is a policy against it, I do not want to violate that.

system · April 2, 2019, 3:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.