Comments (10)
The native net
package doesn't provide any methods for looking up CAA records (as far as I can tell) so it'd probably be a good idea to use something like miekg/dns
which provides a much more granular DNS interface from which we could build methods to verify RRSIG
records against zone DNSKEY
records (an example of how this works can be found in the sectionCheck
method here). These methods could also then be used to check DNSSEC when validating the _acme-challenge.example.com
TXT
records...?
I put together a dirty example of how to decode the record (based on RFC6844 and RFC3597) once retrieved using miekg/dns
but have left out any DNSSEC checks. I'd be more than happy to take a crack at writing up some of this DNS stuff up if no one else wants to!
from boulder.
Soooo, I had a go at putting together all the stuff needed to query CAA sets based on RFC6844, I'm super duper tired now though, so I'll leave a link to what I've written to far (with lots of comments) here and hopefully see @jsha or @jcjones tomorrow on irc sometime tomorrow...
from boulder.
I agree that we should do this, but it is only a requirement / blocker if it is required by the CPS. As of right now, that's not the case. So I'm re-tagging as "enhancement".
from boulder.
Agreed that it's not a blocker.
from boulder.
Roland - do you have an ETA for your new CAA pull request?
from boulder.
I should be done with it by the end of this week if not sooner.
On Tue, May 26, 2015 at 11:32 PM Josh Aas [email protected] wrote:
Roland - do you have an ETA for your new CAA pull request?
—
Reply to this email directly or view it on GitHub
#55 (comment).
from boulder.
Great! BTW, I think JC and I talked to you about this on IRC, but just in case: The resolver software we will use in prod already does the DNSSEC validation (and recursive resolution) for us, so we just need the part that parses CAA records. I think I may have initially misled you on implementing DNSSEC, sorry about that.
from boulder.
Oh awesome, that makes this 90% simpler. Time to start pruning my additions!
from boulder.
I have confirmed that this is not required by CPS. Moving out to Defer, since this is a pretty big patch.
from boulder.
I did ask that it be included in the CPS, but no one has commented back on my post one way or the other. https://groups.google.com/a/letsencrypt.org/forum/#!topic/ca-dev/P-aEwXykFNg
from boulder.
Related Issues (20)
- TestAkamaiPurgerDrainQueueSucceeds data race
- Upgrade to go-jose v4
- Publish website documentation concerning profiles, link in user facing errors
- admin <subcommand> -help should work without -config
- Prototype psql backend
- Include sha256sums of the release artifacts
- ARI stats for draft-03 replacements
- Design and implement a system for automatically rejecting requests from doomed clients
- Design Document
- Remove orderModelv1 from the SA package
- CA: Remove deprecated Issuance.Profiles field
- Add test for CRLs with no entries
- Add CI action to prompt CP/CPS review upon feature flag introduction
- Track chosen certificate profile in RA audit log and metric HOT 1
- PSL update
- Run pkilint in integration tests
- sa: investigate removing requestedNames table HOT 1
- Consider removing Subject Key Identifier from end-entity certificates
- Azure Rate Limit Exclusion question HOT 2
- go1.22: Remove loop variable lexical rebindings after a future gopls update
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from boulder.