Add RFC 6844 CAA RR for graphite01

The DNS Certification Authority Authorization (CAA) Resource Record described in IETF RFC 6844 allows us to specify which certificate authorities we expect to issue certificates for a given hostname. This is a measure to indicate to all reputable CAs that they should not honor any request for a certificate unless they are one of the parties listed. In this case, assert that only letsencrypt.org is expected to issue certificates for the graphite CNAME, along with an E-mail address to which any identified policy violations should be reported. Change-Id: I7ccb3a177386085221f0c85b370c08fcf031703e
2019-04-14 14:23:08 +00:00 · 2019-04-14 14:23:08 +00:00 · 2d544e826f
commit 2d544e826f
parent f24b30d108
1 changed files with 3 additions and 1 deletions
--- a/zones/opendev.org/zone.db
+++ b/zones/opendev.org/zone.db
@ -2,7 +2,7 @@
 $ORIGIN opendev.org.
 $TTL 5m
@			IN	SOA	adns1.opendev.org. hostmaster.opendev.org. (
-				1555627227  ; serial number unixtime
+				1557286368  ; serial number unixtime
 				1h          ; refresh (secondary checks for updates)
 				10m         ; retry   (secondary retries failed axfr)
 				10d         ; expire  (secondary ends serving old data)
@ -37,6 +37,8 @@ gitea08			IN	A	38.108.68.22
 graphite01		IN	A	162.209.77.51
 graphite01		IN	AAAA	2001:4800:7818:103:be76:4eff:fe04:763e
 graphite		IN	CNAME	graphite01
+graphite		IN	CAA	0	issue	"letsencrypt.org"
+graphite		IN	CAA	0	iodef	"mailto:infra-root@openstack.org"
 insecure-ci-registry01	IN	AAAA	2001:4800:7818:101:be76:4eff:fe04:67f5
 insecure-ci-registry01	IN	A	104.130.132.79
 insecure-ci-registry	IN	CNAME	insecure-ci-registry01