Discussion:
[MacPorts] #57672: Add DNS CAA record for MacPorts domains
MacPorts
2018-11-25 12:01:07 UTC
Permalink
#57672: Add DNS CAA record for MacPorts domains
----------------------------+---------------------
Reporter: ryandesign | Owner: admin@

Type: enhancement | Status: new
Priority: Normal | Milestone:
Component: server/hosting | Version:
Keywords: | Port:
----------------------------+---------------------
The ssllabs analysis of our domain suggested that we should add a
[https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-
forum CAA] DNS record, which lists which CAs are allowed to issue
certificates for our domain. I think we're only using Let's Encrypt now,
so we could just list that. This ticket is a request for comments: Can you
think of any reason why we shouldn't do this?
--
Ticket URL: <https://trac.macports.org/ticket/57672>
MacPorts <https://www.macports.org/>
Ports system for macOS
MacPorts
2018-11-26 12:55:47 UTC
Permalink
#57672: Add DNS CAA record for MacPorts domains
-----------------------------+---------------------
Reporter: ryandesign | Owner: admin@

Type: enhancement | Status: new
Priority: Normal | Milestone:
Component: server/hosting | Version:
Resolution: | Keywords:
Port: |
-----------------------------+---------------------

Comment (by Veence):

To be honest, I've never been faced with such a request, but, I mean, as
long as it can reduce the likelihood of piracy, why not?
Decisively DNS records look dirtier which each passing addition. It’s
going to end up as hodgepodge of assorted info placed here because it
wasn't fitting anywhere else.
--
Ticket URL: <https://trac.macports.org/ticket/57672#comment:1>
MacPorts <https://www.macports.org/>
Ports system for macOS
MacPorts
2018-11-26 21:22:08 UTC
Permalink
#57672: Add DNS CAA record for MacPorts domains
-----------------------------+---------------------
Reporter: ryandesign | Owner: admin@

Type: enhancement | Status: new
Priority: Normal | Milestone:
Component: server/hosting | Version:
Resolution: | Keywords:
Port: |
-----------------------------+---------------------

Comment (by neverpanic):

That's probably a non-issue, but are we certain that our mirror URLs
provided by third parties under the macports.org domains would not be
affected by this?

I'd assume none of them would offer a valid SSL certificate for the
macports.org subdomain anyway, but it's worth considering.

Other than that, I don't see any issues with it.
--
Ticket URL: <https://trac.macports.org/ticket/57672#comment:2>
MacPorts <https://www.macports.org/>
Ports system for macOS
MacPorts
2018-11-26 21:58:43 UTC
Permalink
#57672: Add DNS CAA record for MacPorts domains
-----------------------------+---------------------
Reporter: ryandesign | Owner: admin@

Type: enhancement | Status: new
Priority: Normal | Milestone:
Component: server/hosting | Version:
Resolution: | Keywords:
Port: |
-----------------------------+---------------------

Comment (by ryandesign):

[https://crt.sh/?Identity=%25macports.org&iCAID=16418 Searching crt.sh],
kmq.jp, pek.cn, and sha.cn are using Let's Encrypt certificates. (We've
only configured mirror_sites.tcl to use https for pek.cn; I didn't know
until I searched that the other two had issued certificates.) I'm not
aware of any other mirrors using https for the MacPorts hostnames; they
haven't informed us of such and we haven't configured mirror_sites.tcl for
it.

We have a mailing list for mirror admins, but we haven't informed the
mirror admins of this yet or invited them to join it. We should do that.
Then we can ask them if they have any opinions on this matter.

If the current mirror admins agree this change is reasonable, we could
even recommend the use of Let's Encrypt in the [wiki:Mirroring mirroring
instructions]. They don't currently mention https because I wrote them
before Let's Encrypt existed, back when getting an https certificate
generally meant paying money, which I didn't want to ask our mirror admins
to do.
--
Ticket URL: <https://trac.macports.org/ticket/57672#comment:3>
MacPorts <https://www.macports.org/>
Ports system for macOS
Loading...