Enhancement #522
closedImplement RFC6844
100%
Description
Even if I think this is probably won't solve much of anything as it is based on "compliant CA", which means will and proper implementation from CAs which proved to do much wrong in the past.
A better way, but with some performance impact for the clients, would be to match the CA's CN with the issuer domain for example, but that's not the direction taken. Anyway let's give it a try.
Updated by Marc Dequènes about 7 years ago
- Status changed from New to Blocked
- % Done changed from 0 to 30
The RRs are ready but commented, as we have 9.9.5 and CAA support is only in 9.9.6 (https://kb.isc.org/article/AA-01210/0/BIND-9.9.6-Release-Notes.html).
Updated by Marc Dequènes about 7 years ago
Added (commented) an empty issuewild
to state that noone is allowed to issue wildcard certificates.
Updated by Marc Dequènes almost 7 years ago
- Status changed from Blocked to Resolved
- % Done changed from 30 to 100
Activated for our two domains. I added in the pending news to suggest users to use it for their own zones.