Option to flush cache for CAA RR Type

60 views
Skip to first unread message

bhush...@gmail.com

unread,
Jan 2, 2018, 10:34:50 AM1/2/18
to public-dns-discuss
Flush Cache tool (https://developers.google.com/speed/public-dns/cache) should have option to flush cache for CAA record type.
Sometimes it takes more than week to reflect CAA record. As more people are setting CAA records, It would be great if we have option to flush cache for CAA records.

SSL Labs also uses Google Public DNS and it also reflect the stale data for CAA.

Alex Dupuy

unread,
Feb 11, 2018, 4:26:11 PM2/11/18
to public-dns-discuss
See https://issuetracker.google.com/issues/73183199 for this feature request (you can vote for it by clicking on the ☆ star to the left of the issue id and title).

wasie...@iza.org

unread,
Oct 5, 2018, 9:47:37 AM10/5/18
to public-dns-discuss

It would be good to have this option since some CAs now only singe SSL certificates when the CAA record is valid. For example the German Telekom uses a CAA dig tool that uses the Google DNS servers by default. If you have a wrong CAA record and get advised to correct them the German Telekom will wait until the changes a present in the Google DNS, they use the Google DNS only and not the actual name server for the domain. So you have to wait for your SSL certificate until the Google DNS reflect the changes.

Alex Dupuy

unread,
Oct 5, 2018, 10:27:21 AM10/5/18
to public-dns-discuss
Note that the option to flush CAA would only be present for DNSSEC signed zones (otherwise flushing a security-related record like CAA could be used to assist in a cache poisoning attack).

I am a bit surprised to see that Telekom uses Google Public DNS for this, since (for DNSSEC signed zones, at least) they need to verify the DNSSEC validity of the CAA response themselves (or use a secure protocol like DNS over HTTPS for their communications with Google Public DNS). If they are sending plain UDP to us and depending on the DNSSEC AD flag in our response, that is something that could be spoofed by anyone (quite easily for anyone who can see their queries to us).

If they are validating the DNSSEC, they presumably have a capable DNS resolver doing so, and could easily query authoritative name servers directly.

For domain administrators who are having this problem on a chronic basis, there is a simple solution, which is to reduce the TTL for the CAA record to something more reasonable, like one hour (3600).

wasie...@iza.org

unread,
Oct 10, 2018, 8:43:32 AM10/10/18
to public-dns-discuss

The German Telekom uses the website https://digwebinterface.com/ to verified CAA records, they only use the default resolver which is 8.8.4.4. Our certificate requests are always NOT DNSSEC domains.

The tip with the TTL is really good, sometimes it's the simplest solutions you do not come up with on your own. Thanks

Reply all
Reply to author
Forward
0 new messages