guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/02: hydra: dns: Add CAA records for guix.gnu.org.

From: Ludovic Courtès
Subject: 01/02: hydra: dns: Add CAA records for guix.gnu.org.
Date: Wed, 1 May 2019 16:50:57 -0400 (EDT) 
civodul pushed a commit to branch master
in repository maintenance.

commit 5deda26806543d5032a9a6da59cc3c5a33c39312
Author: Chris Marusich <address@hidden>
Date:   Wed May 1 11:08:16 2019 -0700

    hydra: dns: Add CAA records for guix.gnu.org.
    
    * hydra/modules/sysadmin/dns.scm (guix.gnu.org.zone) <@>: Add CAA
    records allowing "letsencrypt", "amazon.com", "amazontrust.com",
    "awstrust.com", and "amazonaws.com" to issue certificates.  This was
    not required for the guix.info zone because it lacked CAA records, but
    the gnu.org zone already has a CAA record, so here it is required.
    
    Signed-off-by: Ludovic Courtès <address@hidden>
---
 hydra/modules/sysadmin/dns.scm | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/hydra/modules/sysadmin/dns.scm b/hydra/modules/sysadmin/dns.scm
index 8d368ed..eeb2898 100644
--- a/hydra/modules/sysadmin/dns.scm
+++ b/hydra/modules/sysadmin/dns.scm
@@ -60,6 +60,28 @@
   ("ns1"      ""  "IN"  "A"      bayfront-ip4)
   ("ns2"      ""  "IN"  "A"      berlin-ip4)
 
+  ;; CAA records.  See:
+  ;; https://tools.ietf.org/html/rfc6844
+  ;; https://letsencrypt.org/docs/caa/
+  ;; https://docs.aws.amazon.com/acm/latest/userguide/setup-caa.html
+  ;;
+  ;; The gnu.org domain defines a CAA record which only includes
+  ;; letsencrypt.  To allow Amazon ACM to create a TLS certificate for
+  ;; ci.guix.gnu.org, we need to override this for our zone.
+  ("@"        ""  "IN"  "CAA"    "0 issue \"letsencrypt\"")
+  ;; The ACM docs suggest any one of these records may be sufficient,
+  ;; but to avoid any possibility of problems, let's include all four.
+  ("@"        ""  "IN"  "CAA"    "0 issue \"amazon.com\"")
+  ("@"        ""  "IN"  "CAA"    "0 issue \"amazontrust.com\"")
+  ("@"        ""  "IN"  "CAA"    "0 issue \"awstrust.com\"")
+  ("@"        ""  "IN"  "CAA"    "0 issue \"amazonaws.com\"")
+  ;; We might want to create wildcard certificates in the future.
+  ("@"        ""  "IN"  "CAA"    "0 issuewild \"letsencrypt\"")
+  ("@"        ""  "IN"  "CAA"    "0 issuewild \"amazon.com\"")
+  ("@"        ""  "IN"  "CAA"    "0 issuewild \"amazontrust.com\"")
+  ("@"        ""  "IN"  "CAA"    "0 issuewild \"awstrust.com\"")
+  ("@"        ""  "IN"  "CAA"    "0 issuewild \"amazonaws.com\"")
+
   ;; Machines.
   ("hydra"    ""  "IN"  "A"      hydra-ip4)
   ("berlin"   ""  "IN"  "A"      berlin-ip4)
reply via email to
[Prev in Thread] Current Thread [Next in Thread]