Thanks to visit codestin.com
Credit goes to github.com

Skip to content

More context and instructions for DNSSEC and CAA sections #314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
gunnim wants to merge 5 commits into
base: develop
Choose a base branch
from
Open

More context and instructions for DNSSEC and CAA sections #314

gunnim wants to merge 5 commits into from
+14 −0

Conversation

@gunnim
Copy link

@gunnim gunnim commented Dec 14, 2025

Core impetus for PR is clarify what I saw as a missing step when creating your CAA records, the mapping from issuer name to issuer domain name. Am also hoping it might be useful to clarify where DNSSEC/CAA do not help.

@Raiders0786

@vercel
Copy link

vercel bot commented Dec 14, 2025

Someone is attempting to deploy a commit to the Security Alliance Team on Vercel.

A member of the Team first needs to authorize it.

@gunnim gunnim force-pushed the fix/dnssec-and-email--additions branch from 324a009 to d64f54a Compare December 14, 2025 18:38
@scode2277
Copy link
Collaborator

scode2277 commented Dec 16, 2025

Thanks for the contribution @gunnim!

While the steward of the Domain and DNS Security, @Raiders0786, reviews the content added, I need to ask you to follow this guide about how to sign unverified commits as this PR can't be merged if all the commits are not verified. The guide assumes that the user following it has a signing key.

Thanks :)

@scode2277 scode2277 mentioned this pull request Dec 16, 2025
Open
@gunnim gunnim force-pushed the fix/dnssec-and-email--additions branch from d64f54a to 54c36e6 Compare December 16, 2025 19:13
@vercel
Copy link

vercel bot commented Dec 17, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
frameworks Ready Ready Preview, Comment Dec 17, 2025 11:30am

@scode2277 scode2277 added the content:add This issue or PR adds content or suggests to label Dec 17, 2025
mattaereal
mattaereal requested changes Dec 17, 2025
View reviewed changes
Copy link
Collaborator

@mattaereal mattaereal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the additions are useful! Can you just update the claim of the security issues? You can add the most prominent ones, in case you want to provide more information about them. The rest is a minor thing

docs/pages/infrastructure/domain-and-dns-security/dnssec-and-email.mdx Outdated
Certificate Authority Authorization (CAA) records specify which Certificate Authorities (CAs) are allowed to issue SSL certificates for your domain. This prevents unauthorized certificate issuance, which attackers could use to create fake SSL certificates for your domain.

**How it protects you**: Without CAA records, any Certificate Authority can issue SSL certificates for your domain. Attackers could potentially obtain fake certificates and use them in sophisticated phishing attacks that appear to have valid SSL encryption.
With CAA records for a given domain in place, if a CA receives a certificate request for that domain it will deny that request except in the event of a fully compromised CA (Last big CA security issue was Symantec around 2015).
Copy link
Collaborator

@mattaereal mattaereal Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the biggest issue with a tool regarding CAs was CVE-2025-44005, this year

Copy link
Author

@gunnim gunnim Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mattaereal what I was attempting to highlight is when CAA records don't help. In your example and f.x. for https://www.sans.org/newsletters/newsbites/xxvii-32 I think it's reasonable to assume that CAA would in fact help as they were not fully compromised.

I've pushed a further clarification that I hope is more useful

@gunnim gunnim force-pushed the fix/dnssec-and-email--additions branch from f0a3ef7 to a146131 Compare December 18, 2025 14:59
@gunnim gunnim requested a review from mattaereal December 27, 2025 17:53
@Raiders0786
Copy link
Contributor

Raiders0786 commented Jan 2, 2026

I've commented feedback and changes above—are you able to see them, @gunnim ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattaereal mattaereal Awaiting requested review from mattaereal

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

content:add This issue or PR adds content or suggests to

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@gunnim @scode2277 @Raiders0786 @mattaereal