[dns-operations] Spoofing DNS with fragments

Phil Pennock dnsop+phil at spodhuis.org
Tue Sep 11 20:51:25 UTC 2018


On 2018-09-11 at 15:16 +0200, Stephane Bortzmeyer wrote:
> On Tue, Sep 11, 2018 at 12:10:25PM +0200,
>  Volker Janzen <voja at voja.de> wrote 
>  a message of 17 lines which said:
> 
> > or CAA records.
> 
> Same problem than DNSSEC : *all* CA must implement it. 

They are all required to do so, in CA/Browser Baseline Requirements;
this became mandated a couple of years ago.

If you find a CA which is not checking CAA, report it and get them
de-listed by all the major browser and operating system vendors.

-Phil



More information about the dns-operations mailing list