New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CAA DNS Record for PMA websites when possible #61

Closed
emanuelb opened this Issue Mar 21, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@emanuelb

emanuelb commented Mar 21, 2017

CAA DNS record used in order to specify which CA is allowed to generate certificates for domain, more information:
https://sslmate.com/labs/caa/

fix:
Add CAA record if possible (DNS provider support it) & target CA support it as well (letsencrypt has support https://community.letsencrypt.org/t/caa-setup-for-lets-encrypt/9893)

@nijel

This comment has been minimized.

Member

nijel commented Mar 21, 2017

Gandi does not support it right now. But still it doesn't matter whether you use CA supporting this, as long as there is single CA not supporting CAA the benefit of having it is not really that big.

@emanuelb

This comment has been minimized.

emanuelb commented Mar 21, 2017

But still it doesn't matter whether you use CA supporting this, as long as there is single CA not supporting CAA the benefit of having it is not really that big.

it's mitigate many external attacks (attacker exploit CA process to create certs which will fail CAA checks)
sure it doesn't help against malicious/totally-compromised CA.

I don't follow the CAB discussions, but it looks like they planning to make the checking mandatory for all CAs, see:
"[cabfpub] Start of Review Period for Ballot 187 - Make CAA Checking Mandatory"
https://cabforum.org/pipermail/public/2017-March/009989.html

@nijel nijel self-assigned this Mar 9, 2018

@nijel

This comment has been minimized.

Member

nijel commented Mar 9, 2018

As Gandi now supports this, I've just added the CAA records.

@nijel nijel closed this Mar 9, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment