We receive a lot of issuance requests for names like update.update.update.bupdate.jediupdate.git.git.example.site. We know that these requests come from Caddy instances configured to do just-in-time issuance for any subdomain which is requested. And we know that these dynamic requests come from bots watching CT and adding certain subdomains (which they think they may be able to exploit) to every domain they see.
To mitigate this behavior, we could add a configurable jitSubdomainBlocklist. This would block any newOrder request which:
- is not a renewal; and
- either contains two identical blocklisted subdomain labels in a row, or
- contains any three blocklisted subdomain labels in a row.
Alternatively, we could zombie pause any account which gets too many errTooManyLabels, since these dynamic subdomain clients are basically the only clients which run into that error.
We receive a lot of issuance requests for names like
update.update.update.bupdate.jediupdate.git.git.example.site. We know that these requests come from Caddy instances configured to do just-in-time issuance for any subdomain which is requested. And we know that these dynamic requests come from bots watching CT and adding certain subdomains (which they think they may be able to exploit) to every domain they see.To mitigate this behavior, we could add a configurable
jitSubdomainBlocklist. This would block any newOrder request which:Alternatively, we could zombie pause any account which gets too many errTooManyLabels, since these dynamic subdomain clients are basically the only clients which run into that error.