update information on DNS security

This commit is contained in:
Daniel Micay 2021-03-23 10:05:42 -04:00
parent df8251b305
commit 7a3a5b3f57

View File

@ -211,10 +211,13 @@
<li>Strong cipher configurations for all of our services (SSH, TLS, etc.) with
only modern AEAD ciphers providing forward secrecy</li>
<li>Our web services use OCSP stapling with Must-Staple</li>
<li>DNSSEC implemented for all of our domains, which is particularly important
for securing email due to it relying on DNS records</li>
<li>DANE TLSA records for pinning keys for all our TLS services (mostly helps
to secure email due to lack of browser support)</li>
<li>DNSSEC implemented for all of our domains</li>
<li>DNS Certification Authority Authorization (CAA) records for all of our
domains permitting only Let's Encrypt to issue certificates with fully
integrated support for the experimental <code>accounturi</code> and
<code>validationmethods</code> pinning our Let's Encrypt accounts as the only ones
allowed to issue certificates</li>
<li>DANE TLSA records for pinning keys for all our TLS services</li>
<li>Our mail server enforces DNSSEC/DANE to provide authenticated encryption
when sending mail including alert messages from the attestation service</li>
<li>SSHFP across all domains for pinning SSH keys</li>