this post was submitted on 21 May 2024
96 points (92.1% liked)
Technology
59308 readers
5414 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I urge everybody to read up on CAA records in DNS and add them to your domains. They basically say what CA the certs for that domain are supposed to come from. Even if another CA issues valid certs for the domain they would be rejected if they don't match the CAA în DNS. It takes 5 minutes.
You can specify the valid CA in the form of its representative domain, for example to allow Let's Encrypt you'd add
0 issue "letsencrypt.org"
. If you want to allow multiple CA you add multiple CAA records. They enter into effect if at least one CAA record is present. You can also restrict the challenge type, for example0 issue "letsencrypt.org;validationmethods=dns-01"
.Please note that this is worth adding a CAA record even if you don't use your domain for HTTP and you don't issue any certs for it, because a rogue CA can do it for you. You can add a blank CAA record (
0 issue ";"
) which basically forbids any CA.(And yes, this also applies to email. It's worth adding restrictive records even if you don't use your domain for email.)
They mean CAA records:
https://developers.cloudflare.com/ssl/edge-certificates/caa-records/
Right, I'll fix it.