[dns-operations] DNSSEC deployment incentives
Matt Nordhoff
lists at mn0.us
Tue Jun 18 12:37:29 UTC 2019
On Tue, Jun 18, 2019 at 10:11 AM Tony Finch <dot at dotat.at> wrote:
> Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> > Well, a knowledgeable CSO might be aware the next MiTM victim may
> > well be a Certification Authority, say Let's Encrypt.
>
> I've been doing Let's Encrypt stuff recently and it would be a lot safer
> if there were a CAA restriction that required DNSSEC-authenticated dns-01
> verification and prevented http-01.
CAA records to require specific validation methods have been created,
but Let's Encrypt hasn't enabled them.
example.com. CAA 0 issue "letsencrypt.org; validationmethods=dns-01"
They're waiting for the CAA specification to be updated to clarify the
syntax for specifying multiple options.
<https://community.letsencrypt.org/t/acme-caa-validationmethods-support/63125>
You can actually play with it in the Let's Encrypt staging environment.
--
Matt Nordhoff
More information about the dns-operations
mailing list