I think that we have a problem in Internet security generally similar to that of 802.11b vs WiFi. There is a specification but implementations of the specification vary and are not always up to date.
Perhaps we could create a checklist for various parties for implementing PKI-2017 or whatever. Giving concrete steps for what has to be implemented. > On Sep 22, 2016, at 5:02 PM, Ryan Sleevi <sle...@google.com> wrote: > > > > On Thu, Sep 22, 2016 at 9:55 AM, Erwann Abalea <erwann.aba...@docusign.com > <mailto:erwann.aba...@docusign.com>> wrote: > We also need more support from DNS servers. > > I think we'll constantly be in this chicken-and-egg problem until the CA/B > Forum takes action. > > Customers don't receive value in CAA until (all) CAs are obligated to check & > respect it. However, if we get there, it becomes a vital and valuable > security feature. > > For my domains, I host everything on the « Cloud », and register my domain > names on Gandi, who is also my DNS service, with a nice web UI. > I wanted to add a CAA record for testing, but Gandi doesn’t support that. > Amazon Route 53 doesn’t either. I looked for some documentation about > Cloudflare DNS, dyn.com <http://dyn.com/> Managed DNS, GoDaddy, Microsoft > Azure, EasyDNS, none of them seem to support CAA. > > That's unfortunate, but luckily we've got members in both Microsoft and > GoDaddy who might be able to poke their product teams, and we know CloudFlare > is generally responsive to security feature improvements. > > The only positive finding is that Google Cloud DNS supports CAA records with > an easy to use UI. > > I'll be sure to pass this on to the team that implemented this =) > > The fact that we still have to use « -t TYPE257 » on dig or host command or > the equivalent « set type=TYPE257 » on nslookup to manually perform this > query is not encouraging. > > Encouraging in what sense? There's naturally an ecosystem issue, but the need > to use -t TYPE257 on older versions of dig/host doesn't preclude you from > taking advantage of the security benefits, if CAs were willing or required to > respect it. > > _______________________________________________ > Public mailing list > Public@cabforum.org > https://cabforum.org/mailman/listinfo/public
_______________________________________________ Public mailing list Public@cabforum.org https://cabforum.org/mailman/listinfo/public
