Project

General

Profile

Enhancement #522

Implement RFC6844

Added by Marc Dequènes over 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Category:
Service :: DNS
Start date:
2017-04-17
Due date:
% Done:

100%

Estimated time:
Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Yes
Help Needed:

Description

Even if I think this is probably won't solve much of anything as it is based on "compliant CA", which means will and proper implementation from CAs which proved to do much wrong in the past.

A better way, but with some performance impact for the clients, would be to match the CA's CN with the issuer domain for example, but that's not the direction taken. Anyway let's give it a try.

History

#1

Updated by Marc Dequènes over 2 years ago

  • Status changed from New to Blocked
  • % Done changed from 0 to 30

The RRs are ready but commented, as we have 9.9.5 and CAA support is only in 9.9.6 (https://kb.isc.org/article/AA-01210/0/BIND-9.9.6-Release-Notes.html).

#2

Updated by Marc Dequènes over 2 years ago

Added (commented) an empty issuewild to state that noone is allowed to issue wildcard certificates.

#3

Updated by Marc Dequènes about 2 years ago

  • Status changed from Blocked to Resolved
  • % Done changed from 30 to 100

Activated for our two domains. I added in the pending news to suggest users to use it for their own zones.

Also available in: Atom PDF