I concur in full with Nick Lamb's comments and positions on this matter.
There is no reasonable short cut to actually doing the DNSSEC thing if we want
to usefully intertwine those technologies at all.
There IS significant benefit in enforcing complete DNSSEC validation for (all)
the domain
Gerv, rather than start by digging into the specific technical details, let me
ask a high level question.
Suppose I have deployed DNSSEC for my domain tlrmx.org and I have a CAA record
saying to only permit the non-existent Gotham Certificates gotham.example to
issue.
You say you don't want
Hi,
just wanted to update that Certum has also issued on this domain:
https://crt.sh/?id=209378608
I have opened a support ticket, which has led to revocation but not a qualified
statement as to what happened yet.
Kind regards
Quirin
smime.p7s
Description: S/MIME cryptographic signature
Dear Nikos,
On Wed, Sep 13, 2017 at 9:39 AM, Nikos Mavrogiannopoulos
wrote:
> On Tue, Sep 12, 2017 at 2:59 PM, Dmitry Belyavsky
> wrote:
> > Hello,
> >
> > Here is the new version of the draft updated according to the discussion
> on
> > mozilla-dev-security
Thanks Quirin, we´re working with Primekey to know what happened (we´ll
generate a report once known) and will contact you if necessary to check
that info you have.
Regarding the logs, the log message actually means that CAA either
explicitly permitted the issuance, or implicitly permitted
5 matches
Mail list logo