More context and instructions for DNSSEC and CAA sections #314
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Someone is attempting to deploy a commit to the Security Alliance Team on Vercel. A member of the Team first needs to authorize it. |
gunnim
force-pushed
the
fix/dnssec-and-email--additions
branch
from
324a009 to
d64f54a
Compare
Collaborator
|
Thanks for the contribution @gunnim! While the steward of the Domain and DNS Security, @Raiders0786, reviews the content added, I need to ask you to follow this guide about how to sign unverified commits as this PR can't be merged if all the commits are not verified. The guide assumes that the user following it has a signing key. Thanks :) |
Open
gunnim
force-pushed
the
fix/dnssec-and-email--additions
branch
from
d64f54a to
54c36e6
Compare
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
mattaereal
requested changes
Dec 17, 2025
Collaborator
mattaereal
left a comment
mattaereal
left a comment
There was a problem hiding this comment.
I think the additions are useful! Can you just update the claim of the security issues? You can add the most prominent ones, in case you want to provide more information about them. The rest is a minor thing
| Certificate Authority Authorization (CAA) records specify which Certificate Authorities (CAs) are allowed to issue SSL certificates for your domain. This prevents unauthorized certificate issuance, which attackers could use to create fake SSL certificates for your domain. | ||
|
|
||
| **How it protects you**: Without CAA records, any Certificate Authority can issue SSL certificates for your domain. Attackers could potentially obtain fake certificates and use them in sophisticated phishing attacks that appear to have valid SSL encryption. | ||
| With CAA records for a given domain in place, if a CA receives a certificate request for that domain it will deny that request except in the event of a fully compromised CA (Last big CA security issue was Symantec around 2015). |
Collaborator
There was a problem hiding this comment.
I think the biggest issue with a tool regarding CAs was CVE-2025-44005, this year
Author
There was a problem hiding this comment.
@mattaereal what I was attempting to highlight is when CAA records don't help. In your example and f.x. for https://www.sans.org/newsletters/newsbites/xxvii-32 I think it's reasonable to assume that CAA would in fact help as they were not fully compromised.
I've pushed a further clarification that I hope is more useful
docs/pages/infrastructure/domain-and-dns-security/dnssec-and-email.mdx
Outdated
Show resolved
Hide resolved
gunnim
force-pushed
the
fix/dnssec-and-email--additions
branch
from
f0a3ef7 to
a146131
Compare
Contributor
|
I've commented feedback and changes above—are you able to see them, @gunnim ? |
Collaborator
|
Thanks for review @Raiders0786! I am not able to see the comments but i see you and @gunnim spoke and he is making changes. Btw, @gunnim I see the commit |
gunnim
force-pushed
the
fix/dnssec-and-email--additions
branch
from
7d2ef5c to
bdd2ec1
Compare
making the page with proper heading + table of content (security-alliance#311) making the deadlinks error just a warning (security-alliance#312) Revert "Add DevOps & Infrastructure certification and enhance existing certif…" (security-alliance#317) This reverts commit 1148af5. Fix node version requirement for local testing (security-alliance#318) * fix: update Node.js requirement to v22+ for vocs compatibility vocs >=1.2.0 requires Node.js 22+ due to usage of globSync from node:fs. Updated devcontainer Dockerfile and CONTRIBUTING.md accordingly. See: https://github.com/wevm/vocs/blob/main/package.json 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * shorten comments * fix: update Node.js version in contributing.mdx --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Restructuring opsec domain (security-alliance#299) * restructuring opsec domain * finalise the opsec revamp * Updating tags! * Removing build errors by vite on deadlinks * fix import paths + deadlinks --------- Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> Co-authored-by: Sara Russo <sararusso984@gmail.com> Restore automated tag colors and fix broken link (security-alliance#310) * add tags color generator * adding missing tags, colors and styling for tags + fix broken link --------- Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> Add Isaac and Dickson as stewards (security-alliance#316) * Update contributor roles and descriptions in contributors.json - Changed roles for Dickson Wu and Isaac Patka from "contributor" to "steward". - Enhanced descriptions to reflect their stewardship responsibilities, providing clearer attribution in documentation. * Update contributor description for Safe Harbor in contributors.json - Revised the description for the Safe Harbor contributor to clarify their role as "Steward of Safe Harbor & Steward of SEAL Certs," enhancing the accuracy of contributor attributions. clarify CAA use further minor content structure further work after discussion with maintainer making the page with proper heading + table of content (security-alliance#311) making the deadlinks error just a warning (security-alliance#312) Revert "Add DevOps & Infrastructure certification and enhance existing certif…" (security-alliance#317) This reverts commit 1148af5. Fix node version requirement for local testing (security-alliance#318) * fix: update Node.js requirement to v22+ for vocs compatibility vocs >=1.2.0 requires Node.js 22+ due to usage of globSync from node:fs. Updated devcontainer Dockerfile and CONTRIBUTING.md accordingly. See: https://github.com/wevm/vocs/blob/main/package.json 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * shorten comments * fix: update Node.js version in contributing.mdx --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Restore automated tag colors and fix broken link (security-alliance#310) * add tags color generator * adding missing tags, colors and styling for tags + fix broken link --------- Co-authored-by: Matías Aereal Aeón <388605+mattaereal@users.noreply.github.com> Add Isaac and Dickson as stewards (security-alliance#316) * Update contributor roles and descriptions in contributors.json - Changed roles for Dickson Wu and Isaac Patka from "contributor" to "steward". - Enhanced descriptions to reflect their stewardship responsibilities, providing clearer attribution in documentation. * Update contributor description for Safe Harbor in contributors.json - Revised the description for the Safe Harbor contributor to clarify their role as "Steward of Safe Harbor & Steward of SEAL Certs," enhancing the accuracy of contributor attributions.
…ec-and-email--additions
gunnim
force-pushed
the
fix/dnssec-and-email--additions
branch
from
bdd2ec1 to
7e8c3c2
Compare
Author
|
FYI on git history: did some serious chainsaw surgery to fix the old merge missing verification... 😅 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Core impetus for PR is clarify what I saw as a missing step when creating your CAA records, the mapping from issuer name to issuer domain name. Am also hoping it might be useful to clarify where DNSSEC/CAA do not help.
@Raiders0786