One suggestion for anyone concerned about this weakness. You can use the CAA record to pin the domai...

8organicbits • yesterday at 11:16 PM • 2 replies • view on HN

One suggestion for anyone concerned about this weakness. You can use the CAA record to pin the domain to a specific certificate authority, issuance method, and account. This is imperfect, as CAA record validation (edit: of CAA extensions) is not mandatory yet. But by March 2027 all the CAs a supposed to have support.

Sprinkle some DNSSEC on the CAA record too, if you'd like.

Replies

cobertos • today at 3:48 AM

Just be careful, if you host your DNS at Cloudflare (maybe others?), they will rewrite your CAA record[0] if you use TLS with them. This is in the name of convenience but it was surprising when I first learned.

[0]: https://developers.cloudflare.com/ssl/edge-certificates/caa-...

➕ show 1 reply

aleksejs • yesterday at 11:35 PM

> This is imperfect, as CAA record validation is not mandatory yet. But by March 2027 all the CAs a supposed to have support.

Is that true? My read of Section 1.2.1 in [1] suggests CAA checking has been mandatory since 2017‐09‐08.

[1] https://cabforum.org/working-groups/server/baseline-requirem...

➕ show 2 replies

alt Hacker News

Replies