Skip to main content
KBY Technologies Logo
cd ../incident-runbooks
sys/runbooks/dns-wildcard-records-domain-com-combined-with-subdomain-delegation-causing-unintended-certificate-issuance-via-acme.md
DNS & Certificate Lifecycle Securitycritical severity

DNS wildcard records (*.domain.com) combined with subdomain delegation causing unintended certificate issuance via ACME

Severity
critical
Reviewed
19 Jul 2026
Target time
~15 minutes

01 Incident diagnostics

The Symptom
Certificate Transparency monitoring or an internal audit surfaces a valid certificate for a subdomain (e.g. dev.domain.com) issued by an unrecognised ACME account, while that hostname continues to resolve via the parent zone's *.domain.com A/ALIAS record to live application infrastructure, with no corresponding entry in the certificate management inventory.
Detection
Run dig +noall +answer NS dev.domain.com @8.8.8.8 to confirm the subdomain is delegated to a separate authoritative nameserver, then dig +short CAA domain.com and dig +short CAA dev.domain.com to compare policy scope. Query curl -s "https://crt.sh/?q=dev.domain.com&output=json" | jq '.[].issuer_name' for issuance events outside your known ACME account URIs.
Root Cause
RFC 8659 CAA tree-climbing requires resolvers to walk from the requested name up to the zone apex, but many ACME CA implementations stop the walk at a delegation boundary (zone cut) rather than continuing past it to evaluate the parent's CAA record. When a subdomain is NS-delegated to a separate provider — often a decommissioned SaaS vendor or contractor zone left in place after the engagement ended — that delegated zone has no CAA record of its own, so no issuance policy is ever evaluated. Anyone who still controls that delegated nameserver can publish a _acme-challenge TXT record and pass dns-01 validation, and because the parent's wildcard *.domain.com record already resolves that same hostname to shared production infrastructure, the resulting certificate is immediately usable against live traffic.
Prevention
Mandate CAA records on every delegated zone cut, not just the apex, and lock the accounturi/validationmethods parameters to your CA account. Run a quarterly delegation audit comparing Route53/DNS-provider NS records against an approved-vendor register, tearing down any NS delegation with no active owner. Feed crt.sh or a CT-monitoring API (e.g. Facebook CT API) into an alerting pipeline keyed on unrecognised issuer_name or accounturi for every domain covered by a wildcard record.
Blast Radius
  • Any hostname matched by the wildcard record and routed to shared load balancers, CDN edges, or ingress controllers becomes impersonable with a trusted third-party certificate
  • TLS termination points relying on SNI matching cannot distinguish the rogue certificate from a legitimate one, enabling silent MITM on internal or partner-facing traffic
  • Certificate Transparency log noise obscures genuine issuance events, delaying detection of further abuse
  • Any subdomain previously handed to a vendor, contractor, or decommissioned project and left delegated inherits the same exposure without new configuration changes
  • Automated renewal pipelines relying on domain-wide CAA enforcement silently fail to block the unauthorised issuer
03

Apply the intervention

Before you execute

Confirm the incident scope, obtain approved privileged access, and capture the current configuration before applying changes.

Potentially destructive change. Confirm scope, backup and rollback access before copying these commands.

Fix commands and configuration

1. Enumerate every delegated subzone: dig +noall +answer NS dev.domain.com @8.8.8.8 2. Confirm CAA gap: dig +short CAA dev.domain.com (empty result confirms no local policy) 3. Retire stale delegation if the vendor/contractor zone is no longer required: aws route53 change-resource-record-sets --hosted-zone-id Z123EXAMPLE --change-batch file://remove-ns.json 4. If delegation must remain, push a matching CAA record into the delegated zone restricting issuance to your account: aws route53 change-resource-record-sets --hosted-zone-id Z456DELEG --change-batch '{"Changes":[{"Action":"UPSERT","ResourceRecordSet":{"Name":"dev.domain.com","Type":"CAA","TTL":300,"ResourceRecords":[{"Value":"0 issue "letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/12345""}]}}]}' 5. Revoke the unauthorised certificate: certbot revoke --cert-path /etc/letsencrypt/live/dev.domain.com/cert.pem --delete-after-revoke --reason keyCompromise 6. Confirm CT logs stop showing new issuance: curl -s "https://crt.sh/?q=dev.domain.com&output=json" | jq '.[] | select(.not_before > "2024-01-01")'
04

Verify, roll back or escalate

Verify recovery

Repeat the detection checks after the intervention and confirm that the original symptom no longer occurs.

Rollback

Stop if impact increases. Restore the captured pre-change configuration or approved backup, then reassess before retrying.

Escalate when

Escalate to the platform owner or security incident lead when recovery is unavailable, scope is uncertain, or privileged access cannot be verified.

After recovery

Prevent recurrence and continue investigating

Related material stays below the operational procedure so it cannot distract from containment and recovery.