Closed thibaudcolas closed 6 months ago
CAA records are now set up for wagtail.org
and wagtail.io
. It's mostly just Cloudflare adding their own automatically, but with releases.
allowing certificates from AWS.
For reasons unknown, Cloudflare didn't want to add their own automatically, so I forced it by enabling "AMP Real URL". We don't use AMP, so there won't be a real impact, but it's forced Cloudflare to emit the headers correctly,
We could add this DNS record to
wagtail.org
to close off a type of attack where a CA would issue a certificate to awagtail.org
sub-domain (or top-level) to an attacker-controlled server.It’s unclear to me how much of an overlap there is / how much protection CAA and Certificate Transparency give.
The absence of this DNS record has been reported by security researcher Atexx Lee via email to our security team.