Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Collaborator built-in DNS server responds with NOTIMP to CAA requests

Nicolas | Last updated: Jan 28, 2019 11:02PM UTC

Hello! (tested on v.1.7.37) During renewal of wildcard certificates from Let's Encrypt, there's two DNS-related events: the validation of the ACME challenge (synchronous) and the validation of CAA entries (asynchronous). Burp Collaborator currently supports none of them. Validating the ACME challenge over DNS is doable: temporarily redirecting DNS traffic to another DNS server (dnsmasq, DNSchef, ...) capable of handling TXT records is enough. Adding the correct challenge to the server config is done via a certbot's hook (certbot being the official Let's Encrypt client) when renewal happens. Not super elegant (Collaborator DNS traffic is hijacked for a few seconds) but it works... For CAA entries, the situation is worse because they may be checked _hours_ after the DNS validation. As said in https://community.letsencrypt.org/t/caa-record-checked-after-dns-challenge-completed/53653/10, "[Let's Encrypt is] required by the baseline requirements & RFC 6844 to check CAA within 8 hours of issuance". So a temporary hijack of DNS traffic during will not work :-/ Everything would however go smoothly if the built-in Collaborator DNS server simply replied with an empty "NOERROR" message for CAA requests (see https://letsencrypt.org/docs/caa/#caa-errors). But the current behavior is to reply with "NOTIMP", wich is considered by some people as being in violation of RFCs (cf previous link). My understanding, supported by paragraphs 2.1.1 and 2.1.3 of ftp://ftp.isi.edu/internet-drafts/draft-ietf-dnsop-no-response-issue-04.txt , is that status code "NOTIMP" MUST be used for unknown _opcodes_, but not for unknown _qtypes_. Requests for unknown qtypes MUST be answered with an empty response and status "NOERROR", as already done by Collaborator for TXT records. My current best setup for fully automatic renewal of Let's Encrypt wildcard certificates with Burp Collaborator requires sending all the DNS traffic to another service (in my case DNSchef), which only answers TXT (for ACME challenges) and CAA requests and proxies everything else to Collaborator. But there's a downside: Collaborator doesn't see the real source IP of DNS interactions anymore :-/ My short-term need? Collaborator answering CAA requests with NOERROR! A long-term feature request? Complete support of certificate renewal inside Collaborator, for example by reading the ACME challenge from the file system. Thanks in advance, Nico

Liam, PortSwigger Agent | Last updated: Jan 29, 2019 03:03PM UTC

Nico, we have this logged in our development backlog. We've made additional notes of your requirements. Unfortunately, we can't provide an ETA.

Burp User | Last updated: Apr 19, 2019 10:55AM UTC

This is good to have - so +1 from me too https://twitter.com/Agarri_FR/status/1119186670459420673

Liam, PortSwigger Agent | Last updated: Apr 23, 2019 09:46AM UTC

We've added your comment to the ticket in our backlog. Unfortunately, we still can't provide an ETA.

Burp User | Last updated: Jun 03, 2019 05:21PM UTC

+1, not having let's encrypt support means spending money on commercial certs (costs) or not having a private collaborator (unprofessional) or weak workarounds as explained above

Burp User | Last updated: Oct 15, 2019 09:55AM UTC

10 months later, and no changes... :-/ It would be really nice to _at least_ reply to CAA requests with NOERROR instead of NOTIMP. That doesn't seem like a big change, but automatic LetsEncrypt renewal would finally be possible!

Burp User | Last updated: Oct 15, 2019 09:55AM UTC

Tested on Pro 2.1.04

Burp User | Last updated: Oct 15, 2019 02:02PM UTC

I'd like to see a priority put on implementing this as well as the other improvement requests for Collaborator that are in the backlog. Collaborator is one of the primary reasons I purchase Pro licenses, and I'm sure there are many other customers that feel the same.

Burp User | Last updated: Oct 16, 2019 11:01AM UTC

Yes please, my outlook reminders started to be annoying... :-)

Rafael | Last updated: Oct 28, 2020 02:42PM UTC

Greetings, @Nicolas, do you have any insights on how to do this automation with DNSChef? I'm using certbot's route53-dns plugin and i'd love to hear how you worked around this issue. Thanks in advance.

Michelle, PortSwigger Agent | Last updated: May 20, 2021 01:08PM UTC

Hi everyone I just wanted to let you all know we've made a number of improvements to Burp Collaborator in recent versions which should address some of the issues you were experiencing. We have added support for single custom CNAME and multiple custom TXT DNS records within Burp Collaborator, which can optionally contain specific TTL values, so you should be able to use this to obtain a certificate using Let's Encrypt. Please let us know if you have any questions.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.