What I mean by "route change":
As a working example, mysite.example.net is set up as:
mysite.example.net. 3600 IN CNAME some-other-site.elsewhere.com.
some-other-site.elsewhere.com. 580 IN A 22.33.11.0
mysite.example.net is then changed to:
mysite.example.net. 3600 IN CNAME newsite.differentplace.com.
newsite.differentplace.com. 3600 IN CNAME some-other-site.elsewhere.com.
some-other-site.elsewhere.com. 580 IN A 22.33.11.0
(setting aside the not-best-practice of pointing a CNAME to a CNAME,) The "route" has changed from 2 look-ups to 3.
I am also asking if any number of steps or any kind of change "in the middle" or toward the side of the IP address along the look-up "route" would have any impact on the certificate being verified.
My understanding from the following snip from this question is that as long as all the look-ups originate from the "correct" place (i.e. the CN of the cert matches the first DNS URL queried), there should be no impact on the verification of the certificate. Any number of changes to the look-up chain and any kind of change should not impact the final result of the certificate being valid/verified.
But a CA can make me trust any server they want!
Yes, and that is where the trust comes in. You have to trust the CA not to make certificates as they please. When organisations like Microsoft, Apple and Mozilla trust a CA though, the CA must have audits; another organisation checks on them periodically to make sure everything is still running according to the rules.
Issuing a certificate is done if, and only if, the registrant can prove they own the domain that the certificate is issued for.
Am I right?
Please don't limit your answers, but specifically, would any other certificates along the way get entangled in the original lookup? (e.g. say newsite.differentplace.com has it's own certificate, would that be used in validation instead of the certificate for mysite.example.net?)
