Page MenuHomeDevCentral
Create Task
Maniphest T1928

Serve CAA DNS records
Closed, ResolvedPublic
Actions

Description

In addition to T1228 nginx configuration, we need to take care of CAA records
to document what authorities are allowed to generate certificates for our domains.

For public resources, it's for example currently only Let's Encrypt,
we don't use StartCom CA anymore.

If we use wildcard certificates, a explicit issuewild record must also be added.

nasqueron.org.  CAA 0 issue "letsencrypt.org"
nasqueron.org.  CAA 0 issuewild "letsencrypt.org"

Related Objects

Event Timeline

dereckson created this task.Dec 17 2023, 14:03
dereckson triaged this task as High priority.Aug 4 2024, 17:37
dereckson claimed this task.Aug 4 2024, 17:43

We use a wildcard certificate, so issuewild is needed, yes.

dereckson closed this task as Resolved.Aug 4 2024, 17:45

Both are already set in DNS:

nasqueron.org.	300	IN	CAA	0 issue letsencrypt.org
nasqueron.org.	172800	IN	CAA	0 issuewild letsencrypt.org
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator