DNS and CAA security needs tightening on vinland.technology #2

New issue

Open

opened 2026-02-05 13:01:33 +01:00 by jeremiah · 0 comments

jeremiah commented

2026-02-05 13:01:33 +01:00

Owner

mail.vinland.technology has basic DNS in place (A record to 172.234.107.231 and Linode nameservers) and publishes an SPF record, but there is no DMARC record visible for this host and key DNS hardening controls like DNSSEC and CAA are not enabled.

Key issues are outlined below.

⊖ No DNSSEC enabled

Issue: DNSSEC is not enabled or validated for mail.vinland.technology.

Impact: DNS answers can be spoofed in transit, increasing the risk of traffic being redirected to attacker-controlled systems.

Recommendation: Enable DNSSEC signing in the authoritative DNS (Linode) and publish the required DS record at the parent zone.

⊖ No CAA records configured

Issue: No CAA records are published to restrict which Certificate Authorities may issue certificates for mail.vinland.technology.

Impact: Any public Certificate Authority could potentially issue a certificate for the domain, increasing exposure if a CA is misused or compromised.

Recommendation: Add CAA records authorizing only the Certificate Authorities you use, and include an iodef contact for incident reporting.

⊖ DMARC not present for this host

Issue: No DMARC policy is visible for mail.vinland.technology, so receivers lack explicit instructions for handling spoofed mail claiming to be from this domain.

Impact: Increases the likelihood of successful phishing and brand spoofing using the domain in the visible From address.

Recommendation: Publish a DMARC record at _dmarc.mail.vinland.technology starting with p=none to collect reports, then move to p=quarantine or p=reject once aligned with your legitimate sending sources.

`mail.vinland.technology` has basic DNS in place (A record to `172.234.107.231` and Linode nameservers) and publishes an SPF record, but there is no DMARC record visible for this host and key DNS hardening controls like DNSSEC and CAA are not enabled. Key issues are outlined below. ## ⊖ No DNSSEC enabled **Issue:** DNSSEC is not enabled or validated for `mail.vinland.technology`. **Impact:** DNS answers can be spoofed in transit, increasing the risk of traffic being redirected to attacker-controlled systems. **Recommendation:** Enable DNSSEC signing in the authoritative DNS (Linode) and publish the required DS record at the parent zone. ## ⊖ No CAA records configured **Issue:** No CAA records are published to restrict which Certificate Authorities may issue certificates for `mail.vinland.technology`. **Impact:** Any public Certificate Authority could potentially issue a certificate for the domain, increasing exposure if a CA is misused or compromised. **Recommendation:** Add CAA records authorizing only the Certificate Authorities you use, and include an `iodef` contact for incident reporting. ## ⊖ DMARC not present for this host **Issue:** No DMARC policy is visible for `mail.vinland.technology`, so receivers lack explicit instructions for handling spoofed mail claiming to be from this domain. **Impact:** Increases the likelihood of successful phishing and brand spoofing using the domain in the visible From address. **Recommendation:** Publish a DMARC record at `_dmarc.mail.vinland.technology` starting with `p=none` to collect reports, then move to `p=quarantine` or `p=reject` once aligned with your legitimate sending sources.