[dns-operations] DNSSEC deployment incentives
matthew-l at itconsult.co.uk
Tue Jun 18 12:07:19 UTC 2019
Tony Finch <dot at dotat.at> wrote:-
>I've been doing Let's Encrypt stuff recently and it would be a lot safer
>if there were a CAA restriction that required DNSSEC-authenticated dns-01
>verification and prevented http-01.
If they were so minded, would this not be wholly under the control of
Letsencrypt to arrange this? All that would appear to be needed would be a
different string to go in the CAA record (perhaps "dnssec.letsencrypt.org")
which would require DNSSEC signed dns-01.
Agreed that this would be a very useful feature...
More information about the dns-operations