CAA Checking: CNAME Target Returns SERVFAIL
262 views
Skip to first unread message
Awel Dia
Mar 17, 2026, 11:58:00 AMMar 17
to dev-secur...@mozilla.org
Hello everyone,
I am submitting this inquiry regarding CAA record checking under CA/B Forum Baseline Requirements, in a scenario involving a CNAME alias and DNSSEC-related SERVFAIL.
The domain a.example.com has a CNAME record pointing to 67c520ec0d.uniwaf.com.a.example.com has no CAA records configured.a.example.com does not enable DNSSEC.
When checking the CNAME target domain 67c520ec0d.uniwaf.com via DNSViz at https://dnsviz.net/d/67c520ec0d.uniwaf.com/dnssec/, the result returns SERVFAIL due to DNSSEC validation failure.
However, a direct dig query for CAA records on a.example.com returns NOERROR with no CAA records.
My question is:no CAA records result for a.example.com as a valid basis to proceed with certificate issuance, even though the CNAME target domain returns SERVFAIL?
Thanks!
I am submitting this inquiry regarding CAA record checking under CA/B Forum Baseline Requirements, in a scenario involving a CNAME alias and DNSSEC-related SERVFAIL.
The domain a.example.com has a CNAME record pointing to 67c520ec0d.uniwaf.com.a.example.com has no CAA records configured.a.example.com does not enable DNSSEC.
When checking the CNAME target domain 67c520ec0d.uniwaf.com via DNSViz at https://dnsviz.net/d/67c520ec0d.uniwaf.com/dnssec/, the result returns SERVFAIL due to DNSSEC validation failure.
However, a direct dig query for CAA records on a.example.com returns NOERROR with no CAA records.
My question is:no CAA records result for a.example.com as a valid basis to proceed with certificate issuance, even though the CNAME target domain returns SERVFAIL?
Thanks!
Awei
Henry Birge-Lee
Mar 17, 2026, 11:09:17 PMMar 17
to Awel Dia, dev-secur...@mozilla.org
Hi Awei,
My take: the CA has proof of the absence of a DNSSEC trust chain for a.example.com . In the absence of a trust chain back to the IANA DNSSEC root, the permission to issue on CAA lookup failure clause can be invoked so long as the other criteria are met. That failure mode can involve servfail.
Also, dig returning NOERROR depends a lot on which recursive dig is pointed to. dig does not implement its own recursive (+trace is a poor man's recursive with some cheating). If the recursive did not validate DNSSEC, that could explain the NOERROR response.
unbound-host ( https://linux.die.net/man/1/unbound-host ) implements a full recursive algorithm or you can just control the config of the recursive used by dig.
Best,
Henry
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/27a075ce-03de-4cf2-a8f4-0f9d34f53c69n%40mozilla.org.
Awel Dia
Mar 18, 2026, 11:40:18 AMMar 18
to dev-secur...@mozilla.org, Henry Birge-Lee, dev-secur...@mozilla.org, Awel Dia
Hi.Henry!
Thank you very much for sharing.
First, I would like to share the dig commands I used and the corresponding results.I used 8.8.8.8 as the recursive parsing server.
Secondly,I personally agree with your point of view.Thank you again for your sharing.
Awei
Reply all
Reply to author
Forward
0 new messages