My Profile Photo

Sheogorath's Blog

Let's Encrypt CAA parameters

Today I learned that Let’s Encrypt (LE) offers the ability to limit the validation methods used to generate a TLS certificate. This helps to reduce the effectiveness of MITM attacks. In order to do that, LE offers to add a flag to a CAA record that selects the allowed method for that domain. This allows you to individually assign validation methods like http-01 or dns-01 as part of your installation.         CAA 0 issue ";validationmethods=dns-01"

I came across this when reading up on the recent MITM attack on and the related Hacker News thread mentioning these flags.