Add CAA DNS Record for PMA websites when possible
Closed this issue · 3 comments
CAA DNS record used in order to specify which CA is allowed to generate certificates for domain, more information:
https://sslmate.com/labs/caa/
fix:
Add CAA record if possible (DNS provider support it) & target CA support it as well (letsencrypt has support https://community.letsencrypt.org/t/caa-setup-for-lets-encrypt/9893)
Gandi does not support it right now. But still it doesn't matter whether you use CA supporting this, as long as there is single CA not supporting CAA the benefit of having it is not really that big.
But still it doesn't matter whether you use CA supporting this, as long as there is single CA not supporting CAA the benefit of having it is not really that big.
it's mitigate many external attacks (attacker exploit CA process to create certs which will fail CAA checks)
sure it doesn't help against malicious/totally-compromised CA.
I don't follow the CAB discussions, but it looks like they planning to make the checking mandatory for all CAs, see:
"[cabfpub] Start of Review Period for Ballot 187 - Make CAA Checking Mandatory"
https://cabforum.org/pipermail/public/2017-March/009989.html
As Gandi now supports this, I've just added the CAA records.