← Buypass cases
Bugzilla #1872371
Certificate Problem Report
Buypass: Using an external DNS Resolver for DNS lookups
RESOLVED
FIXED
Buypass
AI Summary
Buypass issued TLS certificates using external DNS resolvers for domain validation, which is not compliant with the Baseline Requirements as it constitutes a Delegated Third Party (DTP). This affected approximately 177,060 active certificates. Upon discovering the issue, Buypass ceased certificate issuance, switched to internal DNS resolvers, and began notifying affected subscribers. The root cause was a misunderstanding of the DTP requirements, leading to the use of external DNS resolvers since 2017. Buypass has since engaged with the CA/Browser Forum to clarify these requirements and updated internal policies to prevent future occurrences.
Chronology
- Buypass ACME in production using internal DNS resolvers.
- Buypass became aware that using external DNS resolvers is considered a DTP.
- Buypass notified subscribers and resumed certificate issuance using internal DNS resolvers.
Participants
Mads Henriksveen
External References
Similar Local Cases
Buypass: Domain validation method using externally operated DNS tools
Buypass: Domain validation method using not allowed domain contact
Buypass: Insufficient Serial Number Entropy
Buypass: Illegal Business Category in a PSD2 QWAC
Buypass: PSD2 QWAC with RSA modulus not divisible by 8
Buypass: TLS certificates with incorrect Subject attribute order
Buypass: Missing NCA identifier in cabfOrganizationIdentifier in PSD2 QWACs
Buypass: Failure to revoke PSD2 QWACs within mandated 5 days