Skip to content

Commit 324a009

Browse files
gunnimgunnim
committed
More context and instructions for DNSSEC and CAA sections
minor rewording
1 parent cf3da3e commit 324a009

File tree

1 file changed

+5
-0
lines changed

1 file changed

+5
-0
lines changed

docs/pages/infrastructure/domain-and-dns-security/dnssec-and-email.mdx

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } fr
2525
DNSSEC (DNS Security Extensions) provides cryptographic authentication of DNS responses, preventing attackers from redirecting your users to malicious sites by tampering with DNS queries. Think of it as a digital signature that proves the DNS response came from the legitimate source.
2626

2727
**How it protects you**: Without DNSSEC, attackers can intercept DNS queries and return fake IP addresses, redirecting users to malicious sites that look identical to yours. DNSSEC prevents this by cryptographically signing all DNS responses.
28+
While most client devices and many recursive resolvers do not perform DNSSEC validation on general DNS queries, DNSSEC is sometimes required and often preferred as a foundational component for security-sensitive internet protocols and features such as SMTP DANE, SSHFP, and CAA.
2829

2930
**Preconditions**:
3031
- Domain is using the provider's nameservers
@@ -86,6 +87,7 @@ DNSSEC (DNS Security Extensions) provides cryptographic authentication of DNS re
8687
Certificate Authority Authorization (CAA) records specify which Certificate Authorities (CAs) are allowed to issue SSL certificates for your domain. This prevents unauthorized certificate issuance, which attackers could use to create fake SSL certificates for your domain.
8788

8889
**How it protects you**: Without CAA records, any Certificate Authority can issue SSL certificates for your domain. Attackers could potentially obtain fake certificates and use them in sophisticated phishing attacks that appear to have valid SSL encryption.
90+
With CAA records for a given domain in place, if a CA receives a certificate request for that domain it will deny that request except in the event of a fully compromised CA (Last big CA security issue was Symantec around 2015).
8991

9092
Before setting CAA records, identify which CA issued your current certificate:
9193
- **Command line**: `openssl s_client -connect yourdomain.com:443 -servername yourdomain.com | openssl x509 -noout -issuer`
@@ -94,6 +96,9 @@ Before setting CAA records, identify which CA issued your current certificate:
9496

9597
**Setup process**: Add CAA records to your DNS zone. Most DNS providers allow you to add these through their web interface:
9698

99+
With the issuers full name in hand we now need to map it to the "Issuer Domain Name".
100+
There is no centralized repository mapping public CA's to their issuer domain names but they are generally easily found with a simple search for f.x. "Let's Encrypt CAA".
101+
97102
```
98103
# Allow only specific CAs to issue certificates
99104
example.com. CAA 0 issue "letsencrypt.org"

0 commit comments

Comments
 (0)