Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Entrust resolving to CNAME that is an invalid CDN host - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Entrust resolving to CNAME that is an invalid CDN host
For a two hour window yesterday we saw "ocsp.entrust.net" resolving to a CNAME of "ocsp.entrust.net.edgagekey.net" rather than the usual "ocsp.entrust.net.edgekey.net". Did anyone else see this?

Fortunately "edgagekey.net" is not a registered domain so these didn't go anywhere. These affected devices were Apple devices attempting to validate various hosts under "push.apple.com".

Since Entrust is a certificate authority for Apple, and Apple doesn't appear to have a CAA record, could an attacker have noticed what I presume is a misconfiguration by Entrust or Akamai, registered the edgagekey.net domain, and with some DNS poisoning have delivered signed but fraudulent Apple content?

In general, if a CA is delivering OCSP certificate status through a CDN, does that mean they are storing at least an intermediate private key on CDN servers?
jauntysankey

5 Posts

Sign Up for Free or Log In to start participating in the conversation!