[dns-operations] DNSSEC deployment incentives

Matthew Richardson matthew-l at itconsult.co.uk
Tue Jun 18 12:07:19 UTC 2019

Tony Finch <dot at dotat.at> wrote:-

>I've been doing Let's Encrypt stuff recently and it would be a lot safer
>if there were a CAA restriction that required DNSSEC-authenticated dns-01
>verification and prevented http-01.

If they were so minded, would this not be wholly under the control of
Letsencrypt to arrange this?  All that would appear to be needed would be a
different string to go in the CAA record (perhaps "dnssec.letsencrypt.org")
which would require DNSSEC signed dns-01.

Agreed that this would be a very useful feature...

Best wishes,

More information about the dns-operations mailing list