<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 22, 2016 at 9:55 AM, Erwann Abalea <span dir="ltr"><<a href="mailto:Erwann.Abalea@docusign.com" target="_blank">Erwann.Abalea@docusign.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">We also need more support from DNS servers.<br></blockquote><div><br></div><div>I think we'll constantly be in this chicken-and-egg problem until the CA/B Forum takes action.</div><div><br></div><div>Customers don't receive value in CAA until (all) CAs are obligated to check & respect it. However, if we get there, it becomes a vital and valuable security feature.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
For my domains, I host everything on the « Cloud », and register my domain names on Gandi, who is also my DNS service, with a nice web UI.<br>
I wanted to add a CAA record for testing, but Gandi doesn’t support that. Amazon Route 53 doesn’t either. I looked for some documentation about Cloudflare DNS, <a href="http://dyn.com" rel="noreferrer" target="_blank">dyn.com</a> Managed DNS, GoDaddy, Microsoft Azure, EasyDNS, none of them seem to support CAA.<br></blockquote><div><br></div><div>That's unfortunate, but luckily we've got members in both Microsoft and GoDaddy who might be able to poke their product teams, and we know CloudFlare is generally responsive to security feature improvements.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The only positive finding is that Google Cloud DNS supports CAA records with an easy to use UI.<br></blockquote><div><br></div><div>I'll be sure to pass this on to the team that implemented this =)</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The fact that we still have to use « -t TYPE257 » on dig or host command or the equivalent « set type=TYPE257 » on nslookup to manually perform this query is not encouraging.</blockquote><div><br></div><div>Encouraging in what sense? There's naturally an ecosystem issue, but the need to use -t TYPE257 on older versions of dig/host doesn't preclude you from taking advantage of the security benefits, if CAs were willing or required to respect it. </div></div><br></div></div>