Page MenuHomePhabricator
Create Task
Maniphest T428093

Remove Digicert CAA records from most domains
Open, In Progress, LowPublic
Actions

Description

We received a Digicert certificate approval request from an frtech employee for wikimedia.org, which caused us to want to review our usage of digicert CAA records. CAA works at the subdomain level so we can set the records for payments.wikimedia.org to allow them their issuance while removing the unnecessary records for the rest of the stack.

wikimediafoundation.org should just have LE, wikimedia.org should be left alone (for now...), but all the others in the dns repo should have digicert removed (just LE + pki.goog)

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Remove digicert CAA records from most domainsoperations/dnsmaster+1 -17
Customize query in gerrit

Event Timeline

BCornwall created this task.Wed, Jun 3, 6:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptWed, Jun 3, 6:49 PM
BCornwall changed the task status from Open to In Progress.Wed, Jun 3, 6:49 PM
BCornwall triaged this task as Low priority.
gerritbot added a comment.Wed, Jun 3, 6:50 PM

Change #1297210 had a related patch set uploaded (by BCornwall; author: BCornwall):

[operations/dns@master] Remove digicert CAA records from most domains

https://gerrit.wikimedia.org/r/1297210

gerritbot added a project: Patch-For-Review.Wed, Jun 3, 6:50 PM
ssingh added a comment.Wed, Jun 3, 7:00 PM

CAA works at the subdomain level so we can set the records for payments.wikimedia.org to allow them their issuance while removing the unnecessary records for the rest of the stack.

So payments is a CNAME and hence we can't add a CAA record for it. That leaves us with the option of either removing the CNAME, or just having fr-tech switch to pki.goog as we have done in production, but that's a longer conversation.

taavi subscribed.Wed, Jun 3, 7:02 PM
In T428093#11982860, @ssingh wrote:

So payments is a CNAME and hence we can't add a CAA record for it.

Can we not add a CAA record to the CNAME targets (payments-eqiad/codfw)?

ssingh added a comment.Wed, Jun 3, 7:03 PM
In T428093#11982863, @taavi wrote:
In T428093#11982860, @ssingh wrote:

So payments is a CNAME and hence we can't add a CAA record for it.

Can we not add a CAA record to the CNAME targets (payments-eqiad/codfw)?

We can yeah but I am not sure if there is something in the fr-tech setup that complicates that. @Jgreen can comment on those bits.

gerritbot added a comment.Thu, Jun 4, 8:18 PM

Change #1297210 merged by BCornwall:

[operations/dns@master] Remove digicert CAA records from most domains

https://gerrit.wikimedia.org/r/1297210

Maintenance_bot removed a project: Patch-For-Review.Thu, Jun 4, 8:31 PM
BCornwall reassigned this task from BCornwall to Jgreen.Thu, Jun 4, 8:36 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits