Page MenuHomeDevCentral

Serve CAA DNS records
Closed, ResolvedPublic

Description

In addition to T1228 nginx configuration, we need to take care of CAA records
to document what authorities are allowed to generate certificates for our domains.

For public resources, it's for example currently only Let's Encrypt,
we don't use StartCom CA anymore.

If we use wildcard certificates, a explicit issuewild record must also be added.

nasqueron.org.  CAA 0 issue "letsencrypt.org"
nasqueron.org.  CAA 0 issuewild "letsencrypt.org"

Event Timeline

dereckson triaged this task as High priority.Aug 4 2024, 17:37

We use a wildcard certificate, so issuewild is needed, yes.

Both are already set in DNS:

nasqueron.org.	300	IN	CAA	0 issue letsencrypt.org
nasqueron.org.	172800	IN	CAA	0 issuewild letsencrypt.org