Embedded Files
Cloudflare’s Public DNS: Unauthorised DNS CAA Record Responses
Cloudflare’s Public DNS: Unauthorised DNS CAA Record Responses
Date: 2024-10-29
Author: Simon Jackson
Introduction
Last week I spotted something that looked bizzare. I signed up to a public web hosting provider for a customer, and tried to setup the integrated HTTPS layer for the external web-service security... we're talking a layer 7 reverse proxy. The scary thing was the certificate were immediately issued.. "no questions asked".
I thought.. huh thats weird.
So I raised a support ticket.. then spent the next five emails back/forth explaining that it's not ACME v2 thats being performed.. it's just standard CAA RR abd CNAME lookups.
This article explains it all nicely - well it explains what is supposed to happen.
Background on DNS CAA Records
What are CAA Records? Certification Authority Authorization (CAA) records specify which CAs can issue certificates for a domain, offering a safeguard configuration option against unauthorised certificate issuance for any domain-holder.
Importance of DNS Accuracy: For DNS-based security measures to be effective, DNS responses must accurately reflect the hosted zone records. If DNS responses contain unauthorised records, it undermines security mechanisms authorised to prevent certificate mis-issuance and maintain trust in domain ownership.
What's the big issue?
The issue emerged during routine DNS configuration checks for my domain, vcns.tech, hosted on Cloudflare. The objective was to verify that only authorised Certification Authorities (CAs) could issue certificates for the domain, using DNS Certification Authority Authorization (CAA) records.
Step 1: Initial Domain Setup Verification
To begin, I verified the basic DNS configuration by querying the Start of Authority (SOA) and Name Server (NS) records for my blogging domain jacksonfamily.me. Using PowerShell, and this powershell module, I executed the following commands to confirm that Cloudflare’s nameservers were indeed those visible in my cloudflare account portal; they were correct.
What's the big issue?
Step 2: Query live DNS CAA Records
With the nameservers verified, I proceeded to inspect the CAA records using the command:
Here, I encountered unexpected results. The query returned multiple CAA records for jacksonfamily.me, including entries for CAs such as comodoca.com, digicert.com, pki.goog, and ssl.com. These records indicated that these CAs were permitted to issue certificates for the domain. However, none of these highlighted entries were actually configured in my DNS zone file. This discrepancy raised an immediate red flag, suggesting that the DNS resolver might be returning records that were not defined within my zone.
Step 3: Confirming the Discrepancy with Cloudflare’s DNS Zone
To rule out the possibility of a misconfiguration in the hosted DNS zone, I accessed the Cloudflare DNS dashboard and examined the CAA records directly. As expected, none of the returned entries were present in the Cloudflare DNS zone for the domain jacksonfamily.me. At this point, it became evident that the public facing DNS resolvers were indeed returning records that did not exist in the configured zone.
Step 4: Analysis of Potential Causes
This behaviour pointed to a possible issue within Cloudflare’s public DNS resolver system. There could be several real-world causes:
Cached Data Mismatch: The public DNS resolvers might have been serving outdated or cached records, rather than fetching the current records from Cloudflare’s authoritative servers.
Resolver Configuration Anomaly: A misconfiguration within Cloudflare’s resolver infrastructure could be introducing unauthorised CAA records.
Propagation Delay or Data Corruption: There could be a delay in syncing the DNS configuration across Cloudflare’s network, leading to inconsistencies.
Cached Data and/or Propagation Delay are not considered; as those records have been in situ for years. Given i can see and export the hosted zone, then the source data is not corrupt; thus we are left with Resolver Configuration Anomoly (aka "a bug").
Conclusion of Initial Investigation
The initial investigation revealed a significant discrepancy between the DNS zone configuration on Cloudflare and the responses returned by the public resolvers. The unauthorised CAA records could expose jacksonfamily.me to security vulnerabilities, as unintended CAs may be allowed to issue certificates. This issue raises questions about the integrity of DNS responses from Cloudflare’s resolvers and necessitates further examination to ensure domain security.
Reporting this issue
After realising i have a 'free account' with CloudFlare, i'm not worthy of submitting support tickets.
I know from my own reading the community cannot resolve this for me.. So i took it upon myself to send an email to their support@cloudflare.com address.
I was gradefully declined. "Your account does not include a paid subscription; therefore you are not entitled to receive direct support via email or tickets".
HELPFUL.
Does anyone know of a way to get their support's attention, without having to pay them £20/m for the privilidge of telling them their resolvers are not working properly?
Page updated
Report abuse