I think that we have a problem in Internet security generally similar to that
of 802.11b vs WiFi. There is a specification but implementations of the
specification vary and are not always up to date.
Perhaps we could create a checklist for various parties for implementing
PKI-2017 or whatever. Giving concrete steps for what has to be implemented.
> On Sep 22, 2016, at 5:02 PM, Ryan Sleevi <sle...@google.com> wrote:
> On Thu, Sep 22, 2016 at 9:55 AM, Erwann Abalea <erwann.aba...@docusign.com
> <mailto:erwann.aba...@docusign.com>> wrote:
> We also need more support from DNS servers.
> I think we'll constantly be in this chicken-and-egg problem until the CA/B
> Forum takes action.
> Customers don't receive value in CAA until (all) CAs are obligated to check &
> respect it. However, if we get there, it becomes a vital and valuable
> security feature.
> For my domains, I host everything on the « Cloud », and register my domain
> names on Gandi, who is also my DNS service, with a nice web UI.
> I wanted to add a CAA record for testing, but Gandi doesn’t support that.
> Amazon Route 53 doesn’t either. I looked for some documentation about
> Cloudflare DNS, dyn.com <http://dyn.com/> Managed DNS, GoDaddy, Microsoft
> Azure, EasyDNS, none of them seem to support CAA.
> That's unfortunate, but luckily we've got members in both Microsoft and
> GoDaddy who might be able to poke their product teams, and we know CloudFlare
> is generally responsive to security feature improvements.
> The only positive finding is that Google Cloud DNS supports CAA records with
> an easy to use UI.
> I'll be sure to pass this on to the team that implemented this =)
> The fact that we still have to use « -t TYPE257 » on dig or host command or
> the equivalent « set type=TYPE257 » on nslookup to manually perform this
> query is not encouraging.
> Encouraging in what sense? There's naturally an ecosystem issue, but the need
> to use -t TYPE257 on older versions of dig/host doesn't preclude you from
> taking advantage of the security benefits, if CAs were willing or required to
> respect it.
> Public mailing list
Public mailing list