[dns-operations] DNSSEC deployment incentives

Matt Nordhoff lists at mn0.us
Tue Jun 18 12:37:29 UTC 2019

On Tue, Jun 18, 2019 at 10:11 AM Tony Finch <dot at dotat.at> wrote:
> Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> > Well, a knowledgeable CSO might be aware the next MiTM victim may
> > well be a Certification Authority, say Let's Encrypt.
> I've been doing Let's Encrypt stuff recently and it would be a lot safer
> if there were a CAA restriction that required DNSSEC-authenticated dns-01
> verification and prevented http-01.

CAA records to require specific validation methods have been created,
but Let's Encrypt hasn't enabled them.

example.com.  CAA  0 issue "letsencrypt.org; validationmethods=dns-01"

They're waiting for the CAA specification to be updated to clarify the
syntax for specifying multiple options.


You can actually play with it in the Let's Encrypt staging environment.
Matt Nordhoff

More information about the dns-operations mailing list