The BRs permit CAs to bypass CAA checking for a domain if "the CA or
an Affiliate of the CA is the DNS Operator (as defined in RFC 7719)
of the domain's DNS."
Much like the forbidden "any other method" of domain validation, the DNS
operator exception is perilously under-specified. It doesn't say how
to determine who the DNS operator of a domain is, when to check, or for
how long this information can be cached. Since the source of truth for a
domain's DNS operator is the NS record in the parent zone, I believe the
correct answer is to check at issuance time by doing a recursive lookup
from the root zone until the relevant NS record is found, and caching
for no longer than the NS record's TTL. Unfortunately, resolvers do
not typically provide an implementation of this algorithm, so CAs would
have to implement it themselves. Considering that CAs are not generally
DNS experts and there are several almost-correct-but-subtly-wrong ways
to implement it, I have little faith that CAs will implement this
check correctly. My experience having implemented both a CAA lookup
algorithm and an algorithm to determine a domain's DNS operator is that
it's actually easier to implement CAA, as all the nasty DNS details can
be handled by the resolver. This leads me to conclude that the only CAs
who think they are saving effort by relying on the DNS operator exception
are doing so incorrectly and insecurely.
A manifestation of my concerns is this incident involving Microsoft PKI
Until last month, Microsoft was not checking CAA, but instead relying on
the DNS operator exception. Despite this, they misissued certificates
for both a nonexistent domain and a domain for which they were not the
DNS operator, demonstrating that they had not correctly implemented
the exception. Although Microsoft is now checking CAA for routine
issuances, they are retaining the DNS operator exception for "one off"
issuances, and the process they intend to use involves manually using
the websites https://dns.google.com/
, which is both a forbidden use
of Delegated Third Parties, and probably not correct because these
tools don't allow you to make non-recursive requests directly to
authoritative servers as required by the above algorithm.
Considering the under-specification of the DNS operator exception and
the risk of CAs being enticed by the apparent but false simplicity of
the exception, I think Mozilla should ban the use of the DNS operator
exception just as it banned "any other method" of domain validation.
At the very least, it deserves a mention on the list of Problematic