From 2d544e826ffa406d268c6e30ec98536683a60f57 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Sun, 14 Apr 2019 14:23:08 +0000 Subject: [PATCH] Add RFC 6844 CAA RR for graphite01 The DNS Certification Authority Authorization (CAA) Resource Record described in IETF RFC 6844 allows us to specify which certificate authorities we expect to issue certificates for a given hostname. This is a measure to indicate to all reputable CAs that they should not honor any request for a certificate unless they are one of the parties listed. In this case, assert that only letsencrypt.org is expected to issue certificates for the graphite CNAME, along with an E-mail address to which any identified policy violations should be reported. Change-Id: I7ccb3a177386085221f0c85b370c08fcf031703e --- zones/opendev.org/zone.db | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/zones/opendev.org/zone.db b/zones/opendev.org/zone.db index f719c5a..52112e6 100644 --- a/zones/opendev.org/zone.db +++ b/zones/opendev.org/zone.db @@ -2,7 +2,7 @@ $ORIGIN opendev.org. $TTL 5m @ IN SOA adns1.opendev.org. hostmaster.opendev.org. ( - 1555627227 ; serial number unixtime + 1557286368 ; serial number unixtime 1h ; refresh (secondary checks for updates) 10m ; retry (secondary retries failed axfr) 10d ; expire (secondary ends serving old data) @@ -37,6 +37,8 @@ gitea08 IN A 38.108.68.22 graphite01 IN A 162.209.77.51 graphite01 IN AAAA 2001:4800:7818:103:be76:4eff:fe04:763e graphite IN CNAME graphite01 +graphite IN CAA 0 issue "letsencrypt.org" +graphite IN CAA 0 iodef "mailto:infra-root@openstack.org" insecure-ci-registry01 IN AAAA 2001:4800:7818:101:be76:4eff:fe04:67f5 insecure-ci-registry01 IN A 104.130.132.79 insecure-ci-registry IN CNAME insecure-ci-registry01