As an admin, I would like to be able to limit the valid Certificate Authorities using the DNS record "CAA": https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
This record type allows to list the allowed authority for a given name, providing another way to ensure no one can actually fake the website/service, especially when we use DNSSEC for the zone file in order to avoid spoofing/poisoning
Thank you!
CAA is defined in https://tools.ietf.org/html/rfc6844 .
bind-dyndns-ldap doesn't support CAA records yet. The LDAP attribute definition should look like this:
attributeTypes: ( 1.3.6.1.4.1.2428.20.1.257 NAME 'CAARecord' DESC 'Certification Authority Restriction, RFC 6844' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch )
Duplicate of https://pagure.io/freeipa/issue/7392
Metadata Update from @rcritten: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.