Skip to main content

5.5. Denial of Service

5.5 Denial of Service

Introduction of a malformed or malicious CAA RR could, in theory, enable a Denial-of-Service (DoS) attack. This could happen by modification of authoritative DNS records or by spoofing inflight DNS responses.

This specific threat is not considered to add significantly to the risk of running an insecure DNS service.

An attacker could, in principle, perform a DoS attack against an Issuer by requesting a certificate with a maliciously long DNS name. In practice, the DNS protocol imposes a maximum name length, and CAA processing does not exacerbate the existing need to mitigate DoS attacks to any meaningful degree.

Last updated on