Hello, welcome to the Wednesday, April 26, 2017 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today we'll start not with the latest vulnerability or attack, but instead with defensive technology.

And we do have a great diary here by

Edward that tells us a little bit more about the CAA records in DNS. CAA stands for certificate

authority authorization. And if you have not heard about these records, then, well, you're not alone.

They're still fairly new.

A lot of registrars do not support them yet, which could turn out to be a problem in September.

The CA browser organization, which essentially the working group of all the browser makers,

that decides which certificate

authorities are added to browsers by default proposed to make this record mandatory starting

September of this year. So we only got about six months left. The way it's supposed to work is

this record will advertise in your zone

who is the certificate authority that's allowed to issue certificates for your domain. Now

you may list multiple certificate authorities but certificate authorities are not supposed to

issue you a domain if you don't have the correct CAA record.

Now overall it would be pretty simple and straightforward to add a record like this to your zone file

but then again if you for example use GoDad daddy to manage your DNS zone then you just don't

have the option yet to do so so I'm somewhat skeptical if the September deadline will stand

but we'll see what happens at least this way I recommend that you read up on this diary by Edward to become familiar

with the problem and with what this record actually means. There are really two things you can do

with it. You can list the certificate authorities that you are using. You can also list any

...