Filippo ValsordaSep 3, 2025

There is some chatter about a CA mis-issuing a certificate for 1.1.1.1. https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/SgwC1QsEpvc/m/0V_VMV7uAgAJ

This CA (https://crt.sh/?caid=201916, only ~300 certs) is only trusted by (1) the Microsoft root program, and (2) the eIDAS QWAC trusted list.

MS has not been actively managing their root program for years now, and the EU wanted to push theirs on browsers with much better ones.

Incident Report: Mis-issued Certificates for SAN iPAddress:1.1.1.1 by Fina RDC 2020

Show threadPontiff Fractal TiamSep 4, 2025
@filippo I remember how Mozilla used a controversial PR company for a FUD campaign against QWAC. And in my opinion it was all about maintaining Mozilla power position in the Web PKI ecosystem regardless of the (dis)advantages of QWAC and co
Hill & Knowlton - Wikipedia

Show threadkasperdSep 4, 2025
I get this error when I try to follow your link.
Show threadPontiff Fractal TiamSep 4, 2025
@kasperd it seems that even your DNS resolver doesn't like that campaign :-) I can't say why (see screenshot from just now) @filippo
Show threadkasperdSep 4, 2025

I was getting SERVFAIL both from my local DNS server and from Google. So I am confident there was something wrong with the authoritative servers for the domain.

Now I am getting a different error though.

Show threadPontiff Fractal TiamSep 4, 2025

@kasperd that's really strange, the first screenshot says nx domain...

Anyhow, it's not that interesting after all.

Show threadkasperd

It’s a known problem that there are browsers saying NXDOMAIN to the user for every DNS problem even if it’s not NXDOMAIN at all.

When I got that error at first I verified using the dig and host commands that it was a SERVFAIL error and that I also got that error from other DNS servers.

Sep 5, 2025 at 1:51pmWeb
Show threadPontiff Fractal TiamSep 5, 2025
@kasperd I was not aware of that browser behavior. Did you finally see the campaign?