Hurricane Electric's IPv6 Tunnel Broker Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: CAA records  (Read 1589 times)

maleks

  • Newbie
  • *
  • Posts: 1
    • View Profile
CAA records
« on: December 22, 2015, 03:56:12 PM »

Hello HE!

I would like to see support for adding CAA records if that is possible:
DNS Certification Authority Authorization (CAA) uses the Internet's Domain Name System to specify which Certificate Authorities may be regarded as authoritative for a domain. This is intended to support additional cross-checking at the client end of TLS connections to attempt to prevent certificates issued by CAs other than the specified CAs from being used to spoof the identity of websites or perform man-in-the-middle attacks on them.

https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization

Thanks ;)
Logged

chaz6

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: CAA records
« Reply #1 on: December 31, 2015, 07:45:16 AM »

I support this change.
Logged

passport123

  • Newbie
  • *
  • Posts: 32
    • View Profile
Re: CAA records
« Reply #2 on: December 31, 2015, 12:17:21 PM »


I like this cross-check concept.  I am already doing a similar thing for two of my domains using TLSA records.
Logged

notzac

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: CAA records
« Reply #3 on: January 06, 2016, 10:40:56 PM »

I'd love to be able to set CAA records for my domains as well!
Logged

kcochran

  • Sr. Network Engineer, Hurricane Electric
  • Administrator
  • Sr. Member
  • *****
  • Posts: 395
    • View Profile
Re: CAA records
« Reply #4 on: January 07, 2016, 07:34:54 AM »

Not currently supported by the backend, and their roadmap doesn't have it as a high priority.

CAA records, while noted as a possible cross-check on wikipedia, seem to not be headed that way based on the feature requests for FF and Chrome.  The use case for CAA records seems to have focused on CAs being the consumer of the record prior to cert issuance (and mandating use of them when available as part of the requirements to remain in the root cert store on those browsers), and then any DNS-based cert verification on the client-side would be handled by DANE.
Logged

HQuest

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: CAA records
« Reply #5 on: June 26, 2016, 04:35:57 PM »

Well, we now have BIND and NSD supporting CAA. And Let's Encrypt is getting some pace...
Logged

HQuest

  • Newbie
  • *
  • Posts: 10
    • View Profile
Re: CAA records
« Reply #6 on: March 22, 2017, 07:21:02 PM »

A few months have passed, many places are relying/verifying DANE entries, and is its still out of scope for the HE DNS servers?

Sorry to "resurrect" a topic - making a new one for this year old question would have the a lesser effect. After all, this one has, uh, history.
Logged