I think that we have a problem in Internet security generally similar to that 
of 802.11b vs WiFi. There is a specification but implementations of the 
specification vary and are not always up to date.

Perhaps we could create a checklist for various parties for implementing 
PKI-2017 or whatever. Giving concrete steps for what has to be implemented. 

> On Sep 22, 2016, at 5:02 PM, Ryan Sleevi <sle...@google.com> wrote:
> On Thu, Sep 22, 2016 at 9:55 AM, Erwann Abalea <erwann.aba...@docusign.com 
> <mailto:erwann.aba...@docusign.com>> wrote:
> We also need more support from DNS servers.
> I think we'll constantly be in this chicken-and-egg problem until the CA/B 
> Forum takes action.
> Customers don't receive value in CAA until (all) CAs are obligated to check & 
> respect it. However, if we get there, it becomes a vital and valuable 
> security feature.
> For my domains, I host everything on the « Cloud », and register my domain 
> names on Gandi, who is also my DNS service, with a nice web UI.
> I wanted to add a CAA record for testing, but Gandi doesn’t support that. 
> Amazon Route 53 doesn’t either. I looked for some documentation about 
> Cloudflare DNS, dyn.com <http://dyn.com/> Managed DNS, GoDaddy, Microsoft 
> Azure, EasyDNS, none of them seem to support CAA.
> That's unfortunate, but luckily we've got members in both Microsoft and 
> GoDaddy who might be able to poke their product teams, and we know CloudFlare 
> is generally responsive to security feature improvements.
> The only positive finding is that Google Cloud DNS supports CAA records with 
> an easy to use UI.
> I'll be sure to pass this on to the team that implemented this =)
> The fact that we still have to use « -t TYPE257 » on dig or host command or 
> the equivalent « set type=TYPE257 » on nslookup to manually perform this 
> query is not encouraging.
> Encouraging in what sense? There's naturally an ecosystem issue, but the need 
> to use -t TYPE257 on older versions of dig/host doesn't preclude you from 
> taking advantage of the security benefits, if CAs were willing or required to 
> respect it. 
> _______________________________________________
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public

Public mailing list

Reply via email to