netsec-sig - [Security-WG] CAA DNS Records
Subject: Internet2 Network Security SIG
List archive
- From: David Farmer <>
- To:
- Subject: [Security-WG] CAA DNS Records
- Date: Wed, 6 May 2020 10:50:17 -0500
Is anyone issuing or considering issuing CAA DNS records for their domains?
CAA records limit which Certificate Authorities (CAs) can issue certificates for a domain or even an individual name within a domain, which at least reduces the attack surface of bogus or unauthorized certificates.
An added benefit; if departments are using different CAs, then say a default InCommon/Comodo CA, by adding a CAA for the CA they are using gives that CA explicit authority to issue a Cert in that name and eliminates a class of DNS Hostmaster trouble tickets from CAs verifying the authority to issue certificates.
Useful links;
https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
https://letsencrypt.org/docs/caa/
https://sslmate.com/caa/
--
https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
https://letsencrypt.org/docs/caa/
https://sslmate.com/caa/
Related question, what are institutions doing for surveillance of certificates issued for their domains?
Thanks
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
David Farmer
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE Phone: 612-626-0815
Minneapolis, MN 55414-3029 Cell: 612-812-9952
===============================================
- [Security-WG] CAA DNS Records, David Farmer, 05/06/2020
Archive powered by MHonArc 2.6.19.