From 7a3a5b3f571d85906b7f4c7d1c64ae411b01c687 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Tue, 23 Mar 2021 10:05:42 -0400
Subject: [PATCH] update information on DNS security

---
 static/features.html | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/static/features.html b/static/features.html
index 12407b64..44633f19 100644
--- a/static/features.html
+++ b/static/features.html
@@ -211,10 +211,13 @@
                     <li>Strong cipher configurations for all of our services (SSH, TLS, etc.) with
                     only modern AEAD ciphers providing forward secrecy</li>
                     <li>Our web services use OCSP stapling with Must-Staple</li>
-                    <li>DNSSEC implemented for all of our domains, which is particularly important
-                    for securing email due to it relying on DNS records</li>
-                    <li>DANE TLSA records for pinning keys for all our TLS services (mostly helps
-                    to secure email due to lack of browser support)</li>
+                    <li>DNSSEC implemented for all of our domains</li>
+                    <li>DNS Certification Authority Authorization (CAA) records for all of our
+                    domains permitting only Let's Encrypt to issue certificates with fully
+                    integrated support for the experimental <code>accounturi</code> and
+                    <code>validationmethods</code> pinning our Let's Encrypt accounts as the only ones
+                    allowed to issue certificates</li>
+                    <li>DANE TLSA records for pinning keys for all our TLS services</li>
                     <li>Our mail server enforces DNSSEC/DANE to provide authenticated encryption
                     when sending mail including alert messages from the attestation service</li>
                     <li>SSHFP across all domains for pinning SSH keys</li>