[cabfpub] Checking CAA oneself
Ryan Sleevi
sleevi at google.com
Thu Sep 22 21:02:01 UTC 2016
On Thu, Sep 22, 2016 at 9:55 AM, Erwann Abalea <Erwann.Abalea at docusign.com>
wrote:
> We also need more support from DNS servers.
>
I think we'll constantly be in this chicken-and-egg problem until the CA/B
Forum takes action.
Customers don't receive value in CAA until (all) CAs are obligated to check
& respect it. However, if we get there, it becomes a vital and valuable
security feature.
> For my domains, I host everything on the « Cloud », and register my domain
> names on Gandi, who is also my DNS service, with a nice web UI.
> I wanted to add a CAA record for testing, but Gandi doesn’t support that.
> Amazon Route 53 doesn’t either. I looked for some documentation about
> Cloudflare DNS, dyn.com Managed DNS, GoDaddy, Microsoft Azure, EasyDNS,
> none of them seem to support CAA.
>
That's unfortunate, but luckily we've got members in both Microsoft and
GoDaddy who might be able to poke their product teams, and we know
CloudFlare is generally responsive to security feature improvements.
> The only positive finding is that Google Cloud DNS supports CAA records
> with an easy to use UI.
>
I'll be sure to pass this on to the team that implemented this =)
> The fact that we still have to use « -t TYPE257 » on dig or host command
> or the equivalent « set type=TYPE257 » on nslookup to manually perform this
> query is not encouraging.
Encouraging in what sense? There's naturally an ecosystem issue, but the
need to use -t TYPE257 on older versions of dig/host doesn't preclude you
from taking advantage of the security benefits, if CAs were willing or
required to respect it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160922/1c8fb67e/attachment-0003.html>
More information about the Public
mailing list