You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
DNSSEC (DNS Security Extensions) provides cryptographic authentication of DNS responses, preventing attackers from redirecting your users to malicious sites by tampering with DNS queries. Think of it as a digital signature that proves the DNS response came from the legitimate source.
26
26
27
27
**How it protects you**: Without DNSSEC, attackers can intercept DNS queries and return fake IP addresses, redirecting users to malicious sites that look identical to yours. DNSSEC prevents this by cryptographically signing all DNS responses.
28
+
While most client devices and many recursive resolvers do not perform DNSSEC validation on general DNS queries, DNSSEC is sometimes required and often preferred as a foundational component for security-sensitive internet protocols and features such as SMTP DANE, SSHFP, and CAA.
28
29
29
30
**Preconditions**:
30
31
- Domain is using the provider's nameservers
@@ -86,6 +87,13 @@ DNSSEC (DNS Security Extensions) provides cryptographic authentication of DNS re
86
87
Certificate Authority Authorization (CAA) records specify which Certificate Authorities (CAs) are allowed to issue SSL certificates for your domain. This prevents unauthorized certificate issuance, which attackers could use to create fake SSL certificates for your domain.
87
88
88
89
**How it protects you**: Without CAA records, any Certificate Authority can issue SSL certificates for your domain. Attackers could potentially obtain fake certificates and use them in sophisticated phishing attacks that appear to have valid SSL encryption.
90
+
A well behaved CA not explicitly permitted via CAA records will deny certificate requests for that domain. \
91
+
While CA compromises are rare, history shows they do happen — and in such cases, attackers could potentially bypass or ignore CAA entirely. \
@@ -94,6 +102,10 @@ Before setting CAA records, identify which CA issued your current certificate:
94
102
95
103
**Setup process**: Add CAA records to your DNS zone. Most DNS providers allow you to add these through their web interface:
96
104
105
+
With the issuers full name in hand we now need to map it to the "Issuer Domain Name".
106
+
There is no centralized repository mapping public CA's to their issuer domain names but they are generally easily found with a simple search for f.x. "Let's Encrypt CAA". \
107
+
The Common CA Database also provides a comprehensive collection to reference: https://ccadb.org/resources
108
+
97
109
```
98
110
# Allow only specific CAs to issue certificates
99
111
example.com. CAA 0 issue "letsencrypt.org"
@@ -199,6 +211,8 @@ MTA-STS enforces encrypted connections between mail servers, preventing man-in-t
199
211
DMARC builds on SPF and DKIM to provide policy enforcement for email authentication. It tells receiving mail servers what to do with emails that fail authentication checks.
200
212
201
213
**How it protects you**: DMARC prevents email spoofing by instructing receiving servers to reject or quarantine emails that fail authentication, protecting your users from phishing attacks.
214
+
Without it, emails breaking SPF/DKIM may still be delivered by some providers (like Gmail, Outlook), often to the inbox or spam folder, sometimes with a warning banner (e.g., "This message may not be from…")
215
+
DMARC also enables aggregate (rua) and forensic (ruf) reporting, giving domain owners visibility into who is sending email on their behalf - legitimate or otherwise.
0 commit comments