Open adborden opened 3 years ago
I opened RITM0816182 to create records for the static sites.
I opened RITM0816183 to create records for ssb.data.gov
I confirmed that none of these domains are in our SANS list, nothing to do here.
Moving this to blocked until we here from GSA DNS.
Oops, forgot the staging domains. Will create tickets for those now.
Just heard from Federalist/cloud.gov that there is some manual action that will need to happen once the CAA records are in place to manually renew the certs.
FYI, Chris reached out to me about these tickets. Since we'll be moving to cloud.gov soon, with letsencrypt.org CA, we'll leave all the CAA records at the second-level domain data.gov and sort things out later. At that point, majority of data.gov domains will be letsencrypt.org domains and would require us to move the CAA records around.
That said, I'm going to put this story down and call https://github.com/GSA/datagov-deploy/issues/2690 in progress. This story is about improving our security posture by moving CAA exceptions to subdomains.
Note: if we still have a data.gov -> www.data.gov redirect in GSA, we probably need to keep the digicert CAA record.
Given https://github.com/GSA/data.gov/issues/3949 is completed, We can remove DigiCert CAA record.
User Story
In order to increase CAA specificity and our security posture using the principle of least privilege, data.gov team wants subdomains to publish their own CAA records.
Acceptance Criteria
[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]
dig CAA data.gov
THEN I only see a CAA record for letsencrypt.orgdig CAA ssb.data.gov
THEN I only see a CAA records for ACM domainsBackground
https://github.com/GSA/datagov-deploy/wiki/TLS-SSL-Certificates#caa-records
Security Considerations (required)
None, doing this increases our security posture by following the principle of least privilege.
Sketch