update information on DNS security

2021-03-23 10:05:42 -04:00 · 2021-03-23 10:05:42 -04:00 · 7a3a5b3f57
commit 7a3a5b3f57
parent df8251b305
1 changed files with 7 additions and 4 deletions
--- a/static/features.html
+++ b/static/features.html
@ -211,10 +211,13 @@
                    <li>Strong cipher configurations for all of our services (SSH, TLS, etc.) with
                    only modern AEAD ciphers providing forward secrecy</li>
                    <li>Our web services use OCSP stapling with Must-Staple</li>
-                    <li>DNSSEC implemented for all of our domains, which is particularly important
-                    for securing email due to it relying on DNS records</li>
-                    <li>DANE TLSA records for pinning keys for all our TLS services (mostly helps
-                    to secure email due to lack of browser support)</li>
+                    <li>DNSSEC implemented for all of our domains</li>
+                    <li>DNS Certification Authority Authorization (CAA) records for all of our
+                    domains permitting only Let's Encrypt to issue certificates with fully
+                    integrated support for the experimental <code>accounturi</code> and
+                    <code>validationmethods</code> pinning our Let's Encrypt accounts as the only ones
+                    allowed to issue certificates</li>
+                    <li>DANE TLSA records for pinning keys for all our TLS services</li>
                    <li>Our mail server enforces DNSSEC/DANE to provide authenticated encryption
                    when sending mail including alert messages from the attestation service</li>
                    <li>SSHFP across all domains for pinning SSH keys</li>