Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Entrust resolving to CNAME that is an invalid CDN host SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Entrust resolving to CNAME that is an invalid CDN host
For a two hour window yesterday we saw "ocsp.entrust.net" resolving to a CNAME of "ocsp.entrust.net.edgagekey.net" rather than the usual "ocsp.entrust.net.edgekey.net". Did anyone else see this?

Fortunately "edgagekey.net" is not a registered domain so these didn't go anywhere. These affected devices were Apple devices attempting to validate various hosts under "push.apple.com".

Since Entrust is a certificate authority for Apple, and Apple doesn't appear to have a CAA record, could an attacker have noticed what I presume is a misconfiguration by Entrust or Akamai, registered the edgagekey.net domain, and with some DNS poisoning have delivered signed but fraudulent Apple content?

In general, if a CA is delivering OCSP certificate status through a CDN, does that mean they are storing at least an intermediate private key on CDN servers?
jauntysankey

5 Posts

Sign Up for Free or Log In to start participating in the conversation!