d4rklynk
commented
7 months ago Certificate Authority Authorization (CAA) is meant to restrict which CA (Certificate Authority) can issue a certificate.
For instance, in the WCA's DNS, it would look like so:
This website can help you generate certs for you whether you want wildcard ("issuewild" tag) or non-wildcard domains ("issue" tag) among other things.
You can also harden the CAA by specifying the challenge method (tls, http dns, etc.)
For instance, if you exclusively use http chall:
i.e. If the CA is amazon.com or letsencrypt.org and the validation method is http-01, it can issue a certificate.
worldcubeassociation.org. IN CAA 0 issue "amazon.com; validationmethods=http-01" worldcubeassociation.org. IN CAA 0 issue "letsencrypt.org; validationmethods=http-01" worldcubeassociation.org. IN CAA 0 iodef "mailto:caa@worldcubeassociation.org"
And if you know your account uri of let's encrypt let's say, you can harden it even more:
i.e. If the CA is amazon.com or letsencrypt.org, the validation method is http-01 and the account uri is 123456789, then it can issue a certificate.
worldcubeassociation.org. IN CAA 0 issue "amazon.com; validationmethods=http-01"
worldcubeassociation.org. IN CAA 0 issue "letsencrypt.org; validationmethods=http-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/123456789"
worldcubeassociation.org. IN CAA 0 iodef "mailto:caa@worldcubeassociation.org"And if you need staging for let's encrypt:
worldcubeassociation.org. IN CAA 0 issue "amazon.com; validationmethods=http-01"
worldcubeassociation.org. IN CAA 0 issue "letsencrypt.org; validationmethods=http-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/123456789"
worldcubeassociation.org. IN CAA 0 issue "letsencrypt.org; validationmethods=http-01; accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/12345678"
worldcubeassociation.org. IN CAA 0 iodef "mailto:caa@worldcubeassociation.org"
DNSSEC and CAA should be added in DNS zone as it is a security standard.