Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Entrust resolving to CNAME that is an invalid CDN host - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Entrust resolving to CNAME that is an invalid CDN host
For a two hour window yesterday we saw "" resolving to a CNAME of "" rather than the usual "". Did anyone else see this?

Fortunately "" is not a registered domain so these didn't go anywhere. These affected devices were Apple devices attempting to validate various hosts under "".

Since Entrust is a certificate authority for Apple, and Apple doesn't appear to have a CAA record, could an attacker have noticed what I presume is a misconfiguration by Entrust or Akamai, registered the domain, and with some DNS poisoning have delivered signed but fraudulent Apple content?

In general, if a CA is delivering OCSP certificate status through a CDN, does that mean they are storing at least an intermediate private key on CDN servers?

7 Posts

Sign Up for Free or Log In to start participating in the conversation!