CAA DNS record to limit certificate issue risks

[thibaudcolas]

DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism that allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a "CAA" Domain Name System (DNS) resource record. – DNS Certification Authority Authorization - Wikipedia

We could add this DNS record to wagtail.org to close off a type of attack where a CA would issue a certificate to a wagtail.org sub-domain (or top-level) to an attacker-controlled server.

It’s unclear to me how much of an overlap there is / how much protection CAA and Certificate Transparency give.

---

The absence of this DNS record has been reported by security researcher Atexx Lee via email to our security team.

[RealOrangeOne]

CAA records are now set up for wagtail.org and wagtail.io. It's mostly just Cloudflare adding their own automatically, but with releases. allowing certificates from AWS.

For reasons unknown, Cloudflare didn't want to add their own automatically, so I forced it by enabling "AMP Real URL". We don't use AMP, so there won't be a real impact, but it's forced Cloudflare to emit the headers correctly,