[dns-operations] Spoofing DNS with fragments

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Sep 11 21:04:34 UTC 2018



> On Sep 11, 2018, at 4:51 PM, Phil Pennock <dnsop+phil at spodhuis.org> wrote:
> 
>> Volker Janzen <voja at voja.de> wrote 
>> a message of 17 lines which said:
>> 
>>> or CAA records.
>> 
>> Same problem than DNSSEC : *all* CA must implement it. 
> 
> They are all required to do so, in CA/Browser Baseline Requirements;
> this became mandated a couple of years ago.
> 
> If you find a CA which is not checking CAA, report it and get them
> de-listed by all the major browser and operating system vendors.

My domain has both DNSSEC and a CAA record that matches none of the
public CAs, it'd be interesting to find out whether this is sufficient
to help all of them to avoid issuing an unauthorized certificate.

-- 
	Viktor.



More information about the dns-operations mailing list