CAA (dns-) records for matrix and riot

[olmari]

matrix.hacklab.fi riot.hacklab.fi would need CAA records as follows, do change email address if we have better one:

CAA 128 iodef "mailto:sami+matrixhacklabfi@olmari.fi" CAA 128 issue "happy-hacker-ca.invalid" CAA 128 issue "letsencrypt.org"

In short, this tells certificate authorities that who are allowed to issue certificates for said domain, can have multiple issuers, and iodef defines an way to report problems. Those 2 addresses seen is Lets Encrypt production server and testing server.

Generally all SSL-ed domainnames should have similar records: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum?_ga=2.46334382.866192522.1549998448-596738242.1549998448

ADD: CAA directives traverses, so in theory if hacklab.fi has CAA-records it would work also for matrix. and riot. but that would also mean it would take effect on any city.hacklab.fi address too.. They shouldhave such records too, but this is an thing needs to be taken into account if done in hacklab.fi level. Also mainly issue when lover lever domain dns does not have own CAA records.

[tanelikaivola]

Currently hosting doesn't support the record type. Feature change request has been created.

[olmari]

Nowadays we use Google DNS services, which supports CAA, and this is done now.