[dns-operations] Spoofing DNS with fragments
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Sep 11 21:04:34 UTC 2018
> On Sep 11, 2018, at 4:51 PM, Phil Pennock <dnsop+phil at spodhuis.org> wrote:
>
>> Volker Janzen <voja at voja.de> wrote
>> a message of 17 lines which said:
>>
>>> or CAA records.
>>
>> Same problem than DNSSEC : *all* CA must implement it.
>
> They are all required to do so, in CA/Browser Baseline Requirements;
> this became mandated a couple of years ago.
>
> If you find a CA which is not checking CAA, report it and get them
> de-listed by all the major browser and operating system vendors.
My domain has both DNSSEC and a CAA record that matches none of the
public CAs, it'd be interesting to find out whether this is sufficient
to help all of them to avoid issuing an unauthorized certificate.
--
Viktor.
More information about the dns-operations
mailing list