Add CAA DNS Record for PMA websites when possible

Question

Add CAA DNS Record for PMA websites when possible

Closed this issue 7 years ago · 3 comments

CAA DNS record used in order to specify which CA is allowed to generate certificates for domain, more information:
https://sslmate.com/labs/caa/

fix:
Add CAA record if possible (DNS provider support it) & target CA support it as well (letsencrypt has support https://community.letsencrypt.org/t/caa-setup-for-lets-encrypt/9893)

Answer 1 · 2017-03-21T14:20:02.000Z

Gandi does not support it right now. But still it doesn't matter whether you use CA supporting this, as long as there is single CA not supporting CAA the benefit of having it is not really that big.

Answer 2 · 2017-03-21T14:57:10.000Z

But still it doesn't matter whether you use CA supporting this, as long as there is single CA not supporting CAA the benefit of having it is not really that big.

it's mitigate many external attacks (attacker exploit CA process to create certs which will fail CAA checks)
sure it doesn't help against malicious/totally-compromised CA.

I don't follow the CAB discussions, but it looks like they planning to make the checking mandatory for all CAs, see:
"[cabfpub] Start of Review Period for Ballot 187 - Make CAA Checking Mandatory"
https://cabforum.org/pipermail/public/2017-March/009989.html

Answer 3 · 2018-03-09T08:00:22.000Z

As Gandi now supports this, I've just added the CAA records.