search

AdguardTeam / AdGuardHome

Network-wide ads & trackers blocking DNS server
https://adguard.com/adguard-home.html
GNU General Public License v3.0
25.41k stars 1.83k forks source link

CAA and HPKP records generation #2997

Closed ammnt closed 3 years ago

ammnt commented 3 years ago

Hello,

please, consider to add CAA and HPKP records generation. It may be worth adding TLSA, CERT, HTTPS, SVCB etc. to this section as well.

You may also be able to combine this request with this one: https://github.com/AdguardTeam/AdGuardHome/issues/1862

Thank you. Cheers😜

ameshkov commented 3 years ago

HPKP is dead (thank god it is) CAA -- I am not sure what it is. HTTPS, SVCB - you can use $dnsrewrite for those.

ammnt commented 3 years ago

CAA -- I am not sure what it is.

DNS Certification Authority Authorization. "CAA records allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain.". P.S.: I'm talking about setting up the server itself to improve his security level. Not dnsrewrite function😅

ameshkov commented 3 years ago

I am not entirely sure what we can do with this CAA record on AdGuard Home side, it's up to you to set it up for your domain name.

ghost commented 3 years ago

I am not entirely sure what we can do with this CAA record on AdGuard Home side, it's up to you to set it up for your domain name.

Maybe since it's generated a less tech guy have just to copy it in his hosting domaine provider (like Apple do for their news custom domain support).

ameshkov commented 3 years ago

Still I don't fully understand who needs that. CAA records aren't used in the process of certificates validation:

RFC 6844:

Relying Applications MUST NOT use CAA records as part of certificate validation

It'd probably be better to close this feature request since there's nothing we can do.

sliterok commented 2 years ago

@ameshkov could you please investigate the behaviour in the mentioned issue? I'm using AdGuardHome as NS and it would be really great to have CAA and TXT records so it could be used with letsencrypt to make SSL certificates.

ameshkov commented 2 years ago

I'm using AdGuardHome as NS

Huh, tbh, this is not what we kept in mind when developing AdGuard Home.

@sliterok for TXT you definitely can use $dnsrewrite: https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#dnsrewrite

sliterok commented 2 years ago

@sliterok for TXT you definitely can use $dnsrewrite: https://github.com/AdguardTeam/AdGuardHome/wiki/Hosts-Blocklists#dnsrewrite

Oh thank you that definitely works out!