Bug 45831 - Add CAA-Records to DNS | ldap schema extension required
Add CAA-Records to DNS | ldap schema extension required
Status: NEW
Product: UCS
Classification: Unclassified
Component: DNS
UCS 5.0
Other Linux
: P5 enhancement (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-07 10:53 CET by Nico Stöckigt
Modified: 2023-04-27 17:20 CEST (History)
11 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017120621000217, 2022100621000292
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Stöckigt univentionstaff 2017-12-07 10:53:36 CET
For security reasons more and more features are introduced and implemented into infrastructure related software. If you are providing a big environment, nowadays it becomes more common to use a SubCA. If so it's often necessary to provide a CAA-Record (Certification Authority Authorization) via your dns.

Currently this is not possible with UCS.

Add a schema extension to the OpenLDAP, make it editable via UMC (udm) and take care it's distributed to dns.

Next step might be to check if also with Samba/AD as dns backend the CAA record is replicated and correctly distributed.
Comment 1 Lutz Willek 2019-12-08 14:09:22 CET
CAA is the amendment of the Certificate Transparency (CT). CT provides mechanisms to help domain holders identify abused or frequently issued certificates for their domains after issuance, while CAA can help prevent unauthorized issuance in advance. Together, they form a better security set than any one alone.

CAA can also help companies that have become unified, want to unify, or want to restrict the CAs they use. Before CAA, there was no easy way for companies to enforce this type of policy. But now that all CAs have to check for CAA entries, these policies can actually be enforced by the CAs.

Therefore, Enterprise Customer are also affected. Is there any plan to support CAA DNS records?
Comment 2 Lutz Willek 2019-12-08 14:10:12 CET
CAA is the amendment of the Certificate Transparency (CT). CT provides mechanisms to help domain holders identify abused or frequently issued certificates for their domains after issuance, while CAA can help prevent unauthorized issuance in advance. Together, they form a better security set than any one alone.

CAA can also help companies that have become unified, want to unify, or want to restrict the CAs they use. Before CAA, there was no easy way for companies to enforce this type of policy. But now that all CAs have to check for CAA entries, these policies can actually be enforced by the CAs.

Therefore, Enterprise Customers are affected too. Is there any plan to support CAA DNS records?
Comment 3 Arvid Requate univentionstaff 2019-12-12 21:54:15 CET
Thanks for elaborating the use cases.

> Therefore, Enterprise Customers are affected too.

Yes, I understand your point. The Bug flag "Enterprise Customer affected" is used for internal priorization and a corresponding Ticket# is required for that. The flag is not defined as "projected cases" but "actual cases".

> Is there any plan to support CAA DNS records?

That's the purpose of this bug. I've additionally enqued it into the Product Owner's backlog now.
Comment 4 Ingo Steuwer univentionstaff 2020-01-08 12:08:22 CET
In most cases UCS is used as an internal / "intranet" DNS only. My understanding is, that in such use cases CAA records aren't that common.

Anyway, I'd be happy to see patches for this issue ;-)
Comment 7 Stefan Gohmann univentionstaff 2023-04-27 17:20:29 CEST
I'll remove the "Waiting Support" flag because it is a feature request.

Add PM and PO for prioritization.