> On 2 Dec 2022, at 17:43, Kurt Seifried <
ku...@seifried.org> wrote:
>
> I read it briefly but it seems to me like there's a significant failure/abuse scenario:
>
> ISP controls an IP block that it portions out to customers. ISP has a web server and puts in the IP/IPv6 CAA records.
>
> Customers that use delegated IP space from the ISP can now only use those CAAs as well if they want to use this standard, correct?
>
> If this is correct, and I was a CA and read this I'd be building a PowerPoint deck for my sales team on how ISP's can partner with us to get a 20-50% commission on sales of certificates by doing this one simple thing…
Hello Kurt,
Thanks for the feedback!
If an ISP would like to add a CAA record for just their web server, they would add it only for that IP Address, and other addresses would not be affected.
If they add a CAA record for their entire IP range, e.g. assuming they have
10.10.0.0/16 they add it on 10.10.in-addr.arpa, then clients can override this CAA record if they have a delegation for e.g. 10.10.10.in-addr.arpa or their ISP allows them to set CAA records the same way they set PTR records.
The same risk applies to regular CAA records and TLDs (CAA in com) or shared domains (CAA in
no-ip.org). If the end user has a delegation, or the ability to update DNS records, they can override the ones set higher in the hierarchy. If not, then CAA will limit issuance and this becomes a human problem, not a computer problem.
Maybe it is due to ICANN’s rules, but I am not aware of this happening.
In both cases, the entity that controls the hierarchically higher resource (be it a domain or an IP Address), can always perform a Denial of Service against its own customers if it really wants to: just write a cron job that fetches all CT certificates of the past hour, finds all instances of its domain / IP Address range, and submits Certificate Problem Reports to the issuing CA. Probably after some time, no CA would like to deal with this and denylist this resource.
In my view, this takes an entity going against their customers for arguably no real / significant gain, and if we assume that this is the case, then worse things could happen.
Overall, this remains a risk, always, but I don’t personally view it as something significant enough to prevent progress and gain the benefits of CAA.
Perhaps I am underestimating this, so I’d be happy to hear more if you still believe that it is a big problem.
Thank you,
Antonis