update information on DNS security
This commit is contained in:
parent
df8251b305
commit
7a3a5b3f57
@ -211,10 +211,13 @@
|
||||
<li>Strong cipher configurations for all of our services (SSH, TLS, etc.) with
|
||||
only modern AEAD ciphers providing forward secrecy</li>
|
||||
<li>Our web services use OCSP stapling with Must-Staple</li>
|
||||
<li>DNSSEC implemented for all of our domains, which is particularly important
|
||||
for securing email due to it relying on DNS records</li>
|
||||
<li>DANE TLSA records for pinning keys for all our TLS services (mostly helps
|
||||
to secure email due to lack of browser support)</li>
|
||||
<li>DNSSEC implemented for all of our domains</li>
|
||||
<li>DNS Certification Authority Authorization (CAA) records for all of our
|
||||
domains permitting only Let's Encrypt to issue certificates with fully
|
||||
integrated support for the experimental <code>accounturi</code> and
|
||||
<code>validationmethods</code> pinning our Let's Encrypt accounts as the only ones
|
||||
allowed to issue certificates</li>
|
||||
<li>DANE TLSA records for pinning keys for all our TLS services</li>
|
||||
<li>Our mail server enforces DNSSEC/DANE to provide authenticated encryption
|
||||
when sending mail including alert messages from the attestation service</li>
|
||||
<li>SSHFP across all domains for pinning SSH keys</li>
|
||||
|
Loading…
x
Reference in New Issue
Block a user