Split views for private.cam.ac.uk

2017-09-27 - News - Tony Finch

Since private.cam.ac.uk was set up in 2002, our DNS servers have returned a REFUSED error to queries for private zones from outside the CUDN. Hiding private zones from the public Internet is necessary to avoid a number of security problems.

In March the CA/Browser Forum decided that after the 8th September 2017, certificate authorities must check CAA DNS records before issuing certificates. CAA records specify restrictions on which certificate authorities are permitted to issue certificates for a particular domain.

However, because names under private.cam.ac.uk cannot be resolved on the public Internet outside the CUDN, certificate authorities became unable to successfuly complete CAA checks for private.cam.ac.uk. The CAA specification RFC 6844 implies that a CA should refuse to issue certificates in this situation.

In order to fix this we have introduced a split view for private.cam.ac.uk.

There are now two different versions of the private.cam.ac.uk zone: a fully-populated internal version, same as before; and a completely empty external version.

With the split view, our authoritative servers will give different answers to different clients: devices on the CUDN will get full answers from the internal version of private.cam.ac.uk, and devices on the public Internet will get negative empty answers (instead of an error) from the external version.

There is no change to the "stealth secondary" arrangements for replicating the private.cam.ac.uk zone to other DNS servers on the CUDN.

The authoritative server list for private.cam.ac.uk has been pruned to include just the UIS authdns servers which have the split view configuration. Our thanks to the Computer Lab and the Engineering Department for providing authoritative service until this change.