Univention Bugzilla – Bug 45831
Add CAA-Records to DNS | ldap schema extension required
Last modified: 2023-04-27 17:20:29 CEST
For security reasons more and more features are introduced and implemented into infrastructure related software. If you are providing a big environment, nowadays it becomes more common to use a SubCA. If so it's often necessary to provide a CAA-Record (Certification Authority Authorization) via your dns. Currently this is not possible with UCS. Add a schema extension to the OpenLDAP, make it editable via UMC (udm) and take care it's distributed to dns. Next step might be to check if also with Samba/AD as dns backend the CAA record is replicated and correctly distributed.
CAA is the amendment of the Certificate Transparency (CT). CT provides mechanisms to help domain holders identify abused or frequently issued certificates for their domains after issuance, while CAA can help prevent unauthorized issuance in advance. Together, they form a better security set than any one alone. CAA can also help companies that have become unified, want to unify, or want to restrict the CAs they use. Before CAA, there was no easy way for companies to enforce this type of policy. But now that all CAs have to check for CAA entries, these policies can actually be enforced by the CAs. Therefore, Enterprise Customer are also affected. Is there any plan to support CAA DNS records?
CAA is the amendment of the Certificate Transparency (CT). CT provides mechanisms to help domain holders identify abused or frequently issued certificates for their domains after issuance, while CAA can help prevent unauthorized issuance in advance. Together, they form a better security set than any one alone. CAA can also help companies that have become unified, want to unify, or want to restrict the CAs they use. Before CAA, there was no easy way for companies to enforce this type of policy. But now that all CAs have to check for CAA entries, these policies can actually be enforced by the CAs. Therefore, Enterprise Customers are affected too. Is there any plan to support CAA DNS records?
Thanks for elaborating the use cases. > Therefore, Enterprise Customers are affected too. Yes, I understand your point. The Bug flag "Enterprise Customer affected" is used for internal priorization and a corresponding Ticket# is required for that. The flag is not defined as "projected cases" but "actual cases". > Is there any plan to support CAA DNS records? That's the purpose of this bug. I've additionally enqued it into the Product Owner's backlog now.
In most cases UCS is used as an internal / "intranet" DNS only. My understanding is, that in such use cases CAA records aren't that common. Anyway, I'd be happy to see patches for this issue ;-)
I'll remove the "Waiting Support" flag because it is a feature request. Add PM and PO for prioritization.