Harden CAA records in DNS

Our CAA records are relatively broad, and in the context of tpo/tpa/team#41374, we could benefit from narrowing the down a little.

$ dig +short caa torproject.org
128 issuewild ";"
0 iodef "mailto:torproject-admin@torproject.org"
128 issue "globalsign.com"
128 issue "letsencrypt.org"

Let's Encrypt has good documentation on CAA records: https://letsencrypt.org/docs/caa

Based on this, we should:

• narrow down the scope of the globalsign.com origin
• add caa records for all subdomain letsencrypt.org certificates generated outside puppet
• tie our main account number to the top-level letsencrypt.org origin

added DNS Next TLS labels

assigned to @lavamind

This issue has been waiting for information two weeks or more. It needs attention. Please take care of this before the end of 2023-12-06. ~"Needs Information" tickets will be moved to the Icebox after that point.

(Any ticket left in Needs Review, Needs Information, Next, or Doing without activity for 14 days gets such notifications. Make a comment describing the current state of this ticket and remove the Stale label to fix this.)

To make the bot ignore this ticket, add the bot-ignore label.

added Stale label

added Doing label and removed Next label

narrow down the scope of the globalsign.com origin

I believe the only certificates signed by this provider concern the cdn-fastly.torproject.org domain. Thus, we should move the CAA entry authorising certificate issuance by globalsign.com from @ to cdn-fastly.

Let's encrypt certificates generated independently of Puppet:

• btcpay.torproject.org generated by Docker container (account ID 100127508)
• <branch>.donate-review.torproject.org generated by mod_md (account ID 1165984097)

I don't believe there are any others.

I've added CAA records to tie both of these subdomains to the lets encrypt account on these systems.

marked the checklist item narrow down the scope of the globalsign.com origin as completed

marked the checklist item add caa records for all subdomain letsencrypt.org certificates generated outside puppet as completed

marked the checklist item tie our main account number to the top-level letsencrypt.org origin as completed

I've adjusted our letsencrypt CAA records on torproject.org and torproject.net to the "account uri" we use to request and renew certificates on nevii.

Any certificate issuance problems that might stem from these changes shouldn't have any immediate or short-term impact, as we renew certs typically 30 days before certificate's expiration. So we should be able to spot any issues during the course of the next few days/weeks.

No dehydrated logs have been mailed, so the main certificate renewal process is working, and several Let's Encrypt certificates were indeed renewed in the last few days (eg. support.torproject.org), indicating the modification to the top-level CAA record is working.

added Needs Review label and removed Doing label

Added some docs at wiki-replica@41c7dd0c

removed Stale label

added Doing label and removed Needs Review label

Main Let's Encrypt certificates are being renewed as normal.

btcpay.torprojetc.org hasn't renewed yet, but only because it's only due in January.

@anarcat I looked into our Nagios config but I couldn't find a straightforward way we could just monitor that certificate, do you know of a way?

added Needs Review label and removed Doing label