[dns-operations] Spoofing DNS with fragments

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Sep 11 21:04:34 UTC 2018

> On Sep 11, 2018, at 4:51 PM, Phil Pennock <dnsop+phil at spodhuis.org> wrote:
>> Volker Janzen <voja at voja.de> wrote 
>> a message of 17 lines which said:
>>> or CAA records.
>> Same problem than DNSSEC : *all* CA must implement it. 
> They are all required to do so, in CA/Browser Baseline Requirements;
> this became mandated a couple of years ago.
> If you find a CA which is not checking CAA, report it and get them
> de-listed by all the major browser and operating system vendors.

My domain has both DNSSEC and a CAA record that matches none of the
public CAs, it'd be interesting to find out whether this is sufficient
to help all of them to avoid issuing an unauthorized certificate.


More information about the dns-operations mailing list