From 2e7d38520d29a60055fbc2283504be3c91e89870 Mon Sep 17 00:00:00 2001 Message-Id: <2e7d38520d29a60055fbc2283504be3c91e89870.1714168849.git.mdw@distorted.org.uk> From: Mark Wooding Date: Wed, 20 Sep 2017 22:46:08 +0100 Subject: [PATCH] *.lisp: Add CAA records to discourage wrong CAs from issuing. Organization: Straylight/Edgeware From: Mark Wooding CAs are generally uselsss and can't be relied on to take any notice, but it's better than nothing. Add a record for our own CA for form's sake, even though I don't take any notice. --- binswood.lisp | 4 ++++ distorted.lisp | 4 ++++ escorted.lisp | 4 ++++ odin.lisp | 4 ++++ 4 files changed, 16 insertions(+) diff --git a/binswood.lisp b/binswood.lisp index 957273c..322929d 100644 --- a/binswood.lisp +++ b/binswood.lisp @@ -21,6 +21,10 @@ (defzone binswood.org.uk (mythic-beasts-2.ns :ip mythic-ns2) (mythic-beasts-3.ns :ip mythic-ns3)) + ;; Certification. + :caa ((:issue "letsencrypt.org") + (:issue "distorted.org.uk")) + ;; Internal hosts. (binswrt :a binswrt.binswood) (mango :a mango.binswood) diff --git a/distorted.lisp b/distorted.lisp index d71124a..e17768b 100644 --- a/distorted.lisp +++ b/distorted.lisp @@ -77,6 +77,10 @@ (defzone distorted.org.uk #-view/inside (mythic-beasts-3.ns :ip mythic-ns3) #-view/inside (chiark.ns :ip chiark.greenend.org.uk)) + ;; Certification. + :caa ((:issue "letsencrypt.org") + (:issue "distorted.org.uk")) + ;; Mail servers. ((@ mail blackhole) :mx mail :srv ((:smtp mail))) ((bugs) :ttl 300 :mx lists :srv ((:smtp bugs))) diff --git a/escorted.lisp b/escorted.lisp index ab5c5b3..e2f542d 100644 --- a/escorted.lisp +++ b/escorted.lisp @@ -20,6 +20,10 @@ (defzone escorted.org.uk ;; Web service. ((@ www) :svc stratocaster) + ;; Certification. + :caa ((:issue "letsencrypt.org") + (:issue "distorted.org.uk")) + ;; Mail servers :mx ((mail :ip stratocaster)) :srv ((:smtp mail)) diff --git a/odin.lisp b/odin.lisp index 3ef3a87..f17fc24 100644 --- a/odin.lisp +++ b/odin.lisp @@ -19,6 +19,10 @@ (defzone odin.gg :tlsa (:https (:service-certificate-constraint :public-key :sha-256 #p"https-stratocaster"))) + ;; Certification. + :caa ((:issue "letsencrypt.org") + (:issue "distorted.org.uk")) + ;; Mail servers :mx ((mail :ip stratocaster)) :srv ((:smtp mail)) -- [mdw]