Opened 5 years ago
Last modified 4 years ago
#57672 new enhancement
Add DNS CAA record for MacPorts domains
| Reported by: | ryandesign (Ryan Carsten Schmidt) | Owned by: | admin@… |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | server/hosting | Version: | |
| Keywords: | Cc: | ||
| Port: |
Description
The ssllabs analysis of our domain suggested that we should add a CAA DNS record, which lists which CAs are allowed to issue certificates for our domain. I think we're only using Let's Encrypt now, so we could just list that. This ticket is a request for comments: Can you think of any reason why we shouldn't do this?
Change History (4)
comment:1 Changed 5 years ago by Veence (Vincent)
comment:2 Changed 5 years ago by neverpanic (Clemens Lang)
That's probably a non-issue, but are we certain that our mirror URLs provided by third parties under the macports.org domains would not be affected by this?
I'd assume none of them would offer a valid SSL certificate for the macports.org subdomain anyway, but it's worth considering.
Other than that, I don't see any issues with it.
comment:3 Changed 5 years ago by ryandesign (Ryan Carsten Schmidt)
Searching crt.sh, kmq.jp, pek.cn, and sha.cn are using Let's Encrypt certificates. (We've only configured mirror_sites.tcl to use https for pek.cn; I didn't know until I searched that the other two had issued certificates.) I'm not aware of any other mirrors using https for the MacPorts hostnames; they haven't informed us of such and we haven't configured mirror_sites.tcl for it.
We have a mailing list for mirror admins, but we haven't informed the mirror admins of this yet or invited them to join it. We should do that. Then we can ask them if they have any opinions on this matter.
If the current mirror admins agree this change is reasonable, we could even recommend the use of Let's Encrypt in the mirroring instructions. They don't currently mention https because I wrote them before Let's Encrypt existed, back when getting an https certificate generally meant paying money, which I didn't want to ask our mirror admins to do.
comment:4 Changed 4 years ago by ryandesign (Ryan Carsten Schmidt)
I've contacted most of the mirror admins to request they offer https access, and many have done so, using Let's Encrypt.
To be honest, I've never been faced with such a request, but, I mean, as long as it can reduce the likelihood of piracy, why not? Decisively DNS records look dirtier which each passing addition. They’re going to end up as hodgepodges of assorted info placed there because it wasn't fitting anywhere else.