3

What I mean by "route change":

As a working example, mysite.example.net is set up as:

mysite.example.net.            3600    IN      CNAME   some-other-site.elsewhere.com.
some-other-site.elsewhere.com. 580     IN      A       22.33.11.0

mysite.example.net is then changed to:

mysite.example.net.            3600    IN      CNAME   newsite.differentplace.com.
newsite.differentplace.com.    3600    IN      CNAME   some-other-site.elsewhere.com.
some-other-site.elsewhere.com. 580     IN      A       22.33.11.0

(setting aside the not-best-practice of pointing a CNAME to a CNAME,) The "route" has changed from 2 look-ups to 3.

I am also asking if any number of steps or any kind of change "in the middle" or toward the side of the IP address along the look-up "route" would have any impact on the certificate being verified.

My understanding from the following snip from this question is that as long as all the look-ups originate from the "correct" place (i.e. the CN of the cert matches the first DNS URL queried), there should be no impact on the verification of the certificate. Any number of changes to the look-up chain and any kind of change should not impact the final result of the certificate being valid/verified.

But a CA can make me trust any server they want!

Yes, and that is where the trust comes in. You have to trust the CA not to make certificates as they please. When organisations like Microsoft, Apple and Mozilla trust a CA though, the CA must have audits; another organisation checks on them periodically to make sure everything is still running according to the rules.

Issuing a certificate is done if, and only if, the registrant can prove they own the domain that the certificate is issued for.

Am I right?

Please don't limit your answers, but specifically, would any other certificates along the way get entangled in the original lookup? (e.g. say newsite.differentplace.com has it's own certificate, would that be used in validation instead of the certificate for mysite.example.net?)

Watki02
  • 153
  • 1
  • 6

1 Answers1

5

Changes to DNS aliases (CNAME) or IP addresses do not matter at all to certificate validation. All what matters is that the hostname as seen by the client (for example the name in the URL) matches the subject(s) of the certificate. This name will not change on any changes to the DNS.

Often a DNS CNAME gets confused with a HTTP redirect. In the case of CNAME the name stays the same and thus the CNAME is irrelevant for validating the certificate. In the case of a HTTP redirect the name might change and this is also reflected by the change of the URL as seen in the browser.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434