[dns-operations] Private domains, X.509 certificates, and CAA records

Tony Finch dot at dotat.at
Thu Sep 21 17:07:54 UTC 2017

I don't think that the interaction between private domains and X.509
certificates was discussed in the threads earlier this month (and I am not
going to re-read them to check!) but this week I found out about a "fun"
new wrinkle.

Those who are fans of internal fake TLDs should be aware of
https://cabforum.org/internal-names/ which says that since two years ago
you have not been able to get certificates for fake TLDs from public
certificate authorities. This obliges you to run your own CA for internal
use, and set up all client devices to trust your private root cert. This
is going to be a pain proportional to the number of unmanaged and/or BYOD
clients you have on your network.

Where I work our internal domain is private.cam.ac.uk. Originally it
didn't have a delegation in its parent zone, but when we signed cam.ac.uk
eight years ago we needed to add a delegation so that validating resolvers
would not treat private names as bogus. (private.cam.ac.uk remains
unsigned for now.)

Public CAs are happy to issue certificates for nonexistent names within
properly registered domains, and until this month they have been happy to
issue certs for subdomains they could not resolve. However this changed on
the 8th September when it became mandatory for CAs to check CAA DNS
records. The effect is that while you can still get a certificate for an
NXDOMAIN name, you can't get one if your server REFUSED the CA's CAA

At least, that is how our CA has implemented RFC 6844, so I have to
reconfigure the way private.cam.ac.uk works. I'm setting up split views
(which we have so far avoided) with the public view contining an empty
version of private.cam.ac.uk.

RFC 1918 and split view DNS are both ugly ideas, but it seems you can't
have one without the other...

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
West Fair Isle, Faeroes: Variable 4, becoming southeasterly 5 or 6. Moderate
occasionally rough. Showers. Good.

More information about the dns-operations mailing list