← GoDaddy cases
Bugzilla #1904749
Certificate Problem Report
GoDaddy : CAA checks passed when records contained incorrect variants of godaddy.com or starfieldtech.com
RESOLVED
FIXED
GoDaddy
AI Summary
GoDaddy identified a software bug in its CAA checking process that allowed certificate issuance when CAA records contained incorrect variants of 'godaddy.com' or 'starfieldtech.com'. This non-conformance with RFC 8659 violated the Baseline Requirements for certificate issuance. The issue was reported on June 23, 2024, and a fix was deployed on June 26, 2024. GoDaddy subsequently revoked 168 active certificates that were affected by this issue. A full incident report was promised by July 5, 2024.
Chronology
- GoDaddy received a certificate problem report regarding CAA checks.
- GoDaddy deployed a fix for the identified bug.
- GoDaddy revoked 168 active certificates affected by the issue.
- GoDaddy promised to publish a full incident report.
Participants
star@godaddy.com
pouyan.tehrani@tu-dresden.de
rdaurne77@gmail.com
bwilson@mozilla.com
External References
Similar Local Cases
GoDaddy : CAA checks did not properly handle issuewild tag allowing FQDN SANs to be added to wildcard certs
GoDaddy: Intermittent unauthorized OCSP response when certificate is freshly issued
GoDaddy: Domain Validation Reuse Issue
GoDaddy: CRL Issuer Mismatch
Entrust: Jurisdiction issue in some EV TLS & Code Signing certificates
GoDaddy: Does not provide a method for domain owners to revoke their certificates
ACCV: Delayed revocation of TLS certificates affected by bug #1884532
Microsoft PKI Services: Failure to Update Full Incident Report within 14 days of discovering new root cause