CAA records for Data.gov subdomains

[adborden]

User Story

In order to increase CAA specificity and our security posture using the principle of least privilege, data.gov team wants subdomains to publish their own CAA records.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

• [ ] WHEN I dig CAA data.gov THEN I only see a CAA record for letsencrypt.org
• [ ] WHEN I dig CAA ssb.data.gov THEN I only see a CAA records for ACM domains
  • amazon.com
  • amazontrust.com
  • awstrust.com
  • amazonaws.com

Background

https://github.com/GSA/datagov-deploy/wiki/TLS-SSL-Certificates#caa-records

Security Considerations (required)

None, doing this increases our security posture by following the principle of least privilege.

Sketch

• [ ] Add CAA records for ssb.data.gov for AWS ACM

  ssb.data.gov CAA 0 issue "amazon.com"
  ssb.data.gov CAA 0 issue "amazontrust.com"
  ssb.data.gov CAA 0 issue "awstrust.com"
  ssb.data.gov CAA 0 issue "amazonaws.com"

• [x] Remove the above domains from site certificate
• [ ] Remove existing CAA records from the data.gov domain for ACM

[adborden]

I opened RITM0816182 to create records for the static sites.

I opened RITM0816183 to create records for ssb.data.gov

I confirmed that none of these domains are in our SANS list, nothing to do here.

Moving this to blocked until we here from GSA DNS.

[adborden]

Oops, forgot the staging domains. Will create tickets for those now.

[adborden]

Just heard from Federalist/cloud.gov that there is some manual action that will need to happen once the CAA records are in place to manually renew the certs.

[adborden]

FYI, Chris reached out to me about these tickets. Since we'll be moving to cloud.gov soon, with letsencrypt.org CA, we'll leave all the CAA records at the second-level domain data.gov and sort things out later. At that point, majority of data.gov domains will be letsencrypt.org domains and would require us to move the CAA records around.

[adborden]

That said, I'm going to put this story down and call https://github.com/GSA/datagov-deploy/issues/2690 in progress. This story is about improving our security posture by moving CAA exceptions to subdomains.

[adborden]

Note: if we still have a data.gov -> www.data.gov redirect in GSA, we probably need to keep the digicert CAA record.

[FuhuXia]

Given https://github.com/GSA/data.gov/issues/3949 is completed, We can remove DigiCert CAA record.