←back to thread

Mitigating the Hetzner/Linode XMPP.ru MitM interception incident

(www.devever.net)
341 points hlandau | 4 comments | 20 Oct 23 20:31 UTC | HN request time: 0s | source
1. mkj ◴[20 Oct 23 23:42 UTC] No.37962716[source]
I looked into CAA but the current dns provider doesn't support those records. Is there a reason it had to be a new type not a more common TXT record?
replies(3): >>37962777 #>>37964896 #>>37968114 #
2. hlandau ◴[20 Oct 23 23:52 UTC] No.37962777[source]
You can try to see if your provider supports "opaque" types in which you can submit the binary encoding of the record without them knowing what it is. Barring that you'll need to request support for it. It's an increasingly popular record type so not supporting it isn't terribly great service nowadays.

I'm not familiar with the discussion that went into the design of CAA (it was probably discussed at some point on the relevant IETF mailing list, if you want to go digging).

3. rodlette ◴[21 Oct 23 07:45 UTC] No.37964896[source]
See RFC5507: "Why Adding a New Resource Record Type Is the Preferred Solution"

DNS providers should support a wide range of RR types, and domain owners should vote with their NS records.

See https://github.com/StackExchange/dnscontrol/blob/master/docu... for a list of DNS providers that support CAA.

4. LinuxBender ◴[21 Oct 23 16:19 UTC] No.37968114[source]
I have found that some providers that say they don't support it just mean in their web interface. It may be worth testing if you can set up a hidden primary server and have your provider just be a secondary to it. That is how I managed to get around that restriction with Linode.