More context and instructions for DNSSEC and CAA sections #314
Conversation
|
Someone is attempting to deploy a commit to the Security Alliance Team on Vercel. A member of the Team first needs to authorize it. |
gunnim
force-pushed
the
fix/dnssec-and-email--additions
branch
from
324a009 to
d64f54a
Compare
|
Thanks for the contribution @gunnim! While the steward of the Domain and DNS Security, @Raiders0786, reviews the content added, I need to ask you to follow this guide about how to sign unverified commits as this PR can't be merged if all the commits are not verified. The guide assumes that the user following it has a signing key. Thanks :) |
gunnim
force-pushed
the
fix/dnssec-and-email--additions
branch
from
d64f54a to
54c36e6
Compare
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
mattaereal
left a comment
mattaereal
left a comment
There was a problem hiding this comment.
I think the additions are useful! Can you just update the claim of the security issues? You can add the most prominent ones, in case you want to provide more information about them. The rest is a minor thing
| Certificate Authority Authorization (CAA) records specify which Certificate Authorities (CAs) are allowed to issue SSL certificates for your domain. This prevents unauthorized certificate issuance, which attackers could use to create fake SSL certificates for your domain. | ||
|
|
||
| **How it protects you**: Without CAA records, any Certificate Authority can issue SSL certificates for your domain. Attackers could potentially obtain fake certificates and use them in sophisticated phishing attacks that appear to have valid SSL encryption. | ||
| With CAA records for a given domain in place, if a CA receives a certificate request for that domain it will deny that request except in the event of a fully compromised CA (Last big CA security issue was Symantec around 2015). |
There was a problem hiding this comment.
I think the biggest issue with a tool regarding CAs was CVE-2025-44005, this year
There was a problem hiding this comment.
@mattaereal what I was attempting to highlight is when CAA records don't help. In your example and f.x. for https://www.sans.org/newsletters/newsbites/xxvii-32 I think it's reasonable to assume that CAA would in fact help as they were not fully compromised.
I've pushed a further clarification that I hope is more useful
gunnim
force-pushed
the
fix/dnssec-and-email--additions
branch
from
f0a3ef7 to
a146131
Compare
|
I've commented feedback and changes above—are you able to see them, @gunnim ? |
4 participants
Core impetus for PR is clarify what I saw as a missing step when creating your CAA records, the mapping from issuer name to issuer domain name. Am also hoping it might be useful to clarify where DNSSEC/CAA do not help.
@Raiders0786