[cabfpub] Checking CAA oneself

philliph at comodo.com philliph at comodo.com
Thu Sep 22 21:39:10 UTC 2016 

I think that we have a problem in Internet security generally similar to that of 802.11b vs WiFi. There is a specification but implementations of the specification vary and are not always up to date.

Perhaps we could create a checklist for various parties for implementing PKI-2017 or whatever. Giving concrete steps for what has to be implemented. 



> On Sep 22, 2016, at 5:02 PM, Ryan Sleevi <sleevi at google.com> wrote:
> 
> 
> 
> On Thu, Sep 22, 2016 at 9:55 AM, Erwann Abalea <Erwann.Abalea at docusign.com <mailto:Erwann.Abalea at docusign.com>> wrote:
> We also need more support from DNS servers.
> 
> I think we'll constantly be in this chicken-and-egg problem until the CA/B Forum takes action.
> 
> Customers don't receive value in CAA until (all) CAs are obligated to check & respect it. However, if we get there, it becomes a vital and valuable security feature.
>  
> For my domains, I host everything on the « Cloud », and register my domain names on Gandi, who is also my DNS service, with a nice web UI.
> I wanted to add a CAA record for testing, but Gandi doesn’t support that. Amazon Route 53 doesn’t either. I looked for some documentation about Cloudflare DNS, dyn.com <http://dyn.com/> Managed DNS, GoDaddy, Microsoft Azure, EasyDNS, none of them seem to support CAA.
> 
> That's unfortunate, but luckily we've got members in both Microsoft and GoDaddy who might be able to poke their product teams, and we know CloudFlare is generally responsive to security feature improvements.
>  
> The only positive finding is that Google Cloud DNS supports CAA records with an easy to use UI.
> 
> I'll be sure to pass this on to the team that implemented this =)
>  
> The fact that we still have to use « -t TYPE257 » on dig or host command or the equivalent « set type=TYPE257 » on nslookup to manually perform this query is not encouraging.
> 
> Encouraging in what sense? There's naturally an ecosystem issue, but the need to use -t TYPE257 on older versions of dig/host doesn't preclude you from taking advantage of the security benefits, if CAs were willing or required to respect it. 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160922/f3d2f923/attachment-0003.html>

More information about the Public mailing list