2017-09-27 - News - Tony Finch
Since private.cam.ac.uk was set up in 2002, our DNS servers have
returned a REFUSED error to queries for private zones from outside the
CUDN. Hiding private zones from the public Internet is necessary to
avoid a number of security problems.
In March the CA/Browser Forum decided that after the 8th September 2017, certificate authorities must check CAA DNS records before issuing certificates. CAA records specify restrictions on which certificate authorities are permitted to issue certificates for a particular domain.
However, because names under private.cam.ac.uk cannot be resolved on
the public Internet outside the CUDN, certificate authorities became
unable to successfuly complete CAA checks for private.cam.ac.uk. The
CAA specification RFC 6844
implies that a CA should refuse to issue certificates in this
situation.
In order to fix this we have introduced a split view for
private.cam.ac.uk.
There are now two different versions of the private.cam.ac.uk
zone: a fully-populated internal version, same as before; and a
completely empty external version.
With the split view, our authoritative servers will give different
answers to different clients: devices on the CUDN will get full
answers from the internal version of private.cam.ac.uk, and
devices on the public Internet will get negative empty answers
(instead of an error) from the external version.
There is no change to the "stealth secondary" arrangements for
replicating the private.cam.ac.uk zone to other DNS servers
on the CUDN.
The authoritative server list for private.cam.ac.uk has been
pruned to include just the UIS authdns servers which have the
split view configuration. Our thanks to the Computer Lab and the
Engineering Department for providing authoritative service until this
change.