Fixing the PKI Mess: CAA + Your Own CA via DNS
Right now, any CA can issue a certificate for your domain. Even if you set a CAA record (`issue "letsencrypt.org"`), it only controls *who* can issue, not what cert is valid. This is broken.
What if we could fix this using DNS?
#Introducing CAA+CA Fingerprint: Self-Sovereign Certificate Authority
Instead of just saying *which CA can issue*, you publish your own CA's fingerprint in DNS. If your CA issues a cert for `awesomecars.com`, browsers should validate it against the DNS-published CA key.
How It Works
You run your own CA (because why trust the cartel?). You then publish:
A CAA record specifying your own CA (with a fingerprint! )
A DNS record with your CA’s public key (like DKIM but for TLS!)
Example DNS Setup for `awesomecars.com`:
```
awesomecars.com. IN CAA 0 issue "pki.awesomecars.com; sha256=abcd1234..."
pki.awesomecars.com. IN CERT 6 0 0 (--BEGIN CERTIFICATE-- ....)
```
Now, only certs signed by your CA are valid for `awesomecars.com`, even if another CA is tricked into issuing a rogue cert. No more CA hijacking!
Why Is This Better Than the Current CA Model?
Self-Sovereign Identity: If you own the domain, you should own its PKI.
Prevents Rogue Certs: No government or rogue CA can fake a cert for your domain.
Works Like DKIM for Email: Your CA’s public key is stored in DNSSEC-protected records, just like DKIM keys for email signing.
No More External Trust Issues: You control your CA entirely, instead of relying on Google’s CA store.
Perfect for Self-Hosting & Internal Networks: No need for external CA trust—your DNS is your trust model.
Why Isn’t This a Thing Already?
Big Tech hates this idea because it removes their control:
Google wants Certificate Transparency (CT), where they control which certs are logged.
Commercial CAs make $$$ selling certs. This kills their business.
DNSSEC adoption is intentionally kept low by the same companies who don’t want this to succeed.
Browsers refuse to support TLSA for the same reason—they want centralized CA trust, not self-hosted PKI.
Who Needs to Implement This?
Self-hosters & Homelabs: Use this for your own infrastructure.
Email providers: Stop relying on public CAs!
Privacy-focused projects (Tor, Matrix, XMPP, Fediverse, etc.): A true decentralized PKI alternative.
Fediverse devs: Let’s push for DNS-based CA validation!
What do you think? Would you trust your own CA in DNS over some random commercial CA?
Boost this if you want a decentralized PKI revolution!
This keeps the focus on self-hosting your own CA, highlights the security flaws of current PKI, and calls out Big Tech’s resistance to decentralized trust.
