Hurricane Electric's IPv6 Tunnel Broker Forums

DNS.HE.NET Topics => General Questions & Suggestions => Topic started by: maleks on December 22, 2015, 03:56:12 PM

Title: CAA records
Post by: maleks on December 22, 2015, 03:56:12 PM
Hello HE!

I would like to see support for adding CAA records if that is possible:
DNS Certification Authority Authorization (CAA) uses the Internet's Domain Name System to specify which Certificate Authorities may be regarded as authoritative for a domain. This is intended to support additional cross-checking at the client end of TLS connections to attempt to prevent certificates issued by CAs other than the specified CAs from being used to spoof the identity of websites or perform man-in-the-middle attacks on them.

https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization

Thanks ;)
Title: Re: CAA records
Post by: chaz6 on December 31, 2015, 07:45:16 AM
I support this change.
Title: Re: CAA records
Post by: passport123 on December 31, 2015, 12:17:21 PM

I like this cross-check concept.  I am already doing a similar thing for two of my domains using TLSA records.
Title: Re: CAA records
Post by: notzac on January 06, 2016, 10:40:56 PM
I'd love to be able to set CAA records for my domains as well!
Title: Re: CAA records
Post by: kcochran on January 07, 2016, 07:34:54 AM
Not currently supported by the backend, and their roadmap doesn't have it as a high priority.

CAA records, while noted as a possible cross-check on wikipedia, seem to not be headed that way based on the feature requests for FF and Chrome.  The use case for CAA records seems to have focused on CAs being the consumer of the record prior to cert issuance (and mandating use of them when available as part of the requirements to remain in the root cert store on those browsers), and then any DNS-based cert verification on the client-side would be handled by DANE.
Title: Re: CAA records
Post by: HQuest on June 26, 2016, 04:35:57 PM
Well, we now have BIND and NSD supporting CAA. And Let's Encrypt is getting some pace...
Title: Re: CAA records
Post by: HQuest on March 22, 2017, 07:21:02 PM
A few months have passed, many places are relying/verifying DANE entries, and is its still out of scope for the HE DNS servers?

Sorry to "resurrect" a topic - making a new one for this year old question would have the a lesser effect. After all, this one has, uh, history.
Title: Re: CAA records
Post by: PepperdotNet on April 04, 2017, 12:37:43 PM
Add 1 to the vote total for implementing this, please.
Title: Re: CAA records
Post by: snarked on April 04, 2017, 01:41:52 PM
Vote yes +1.

I have already added these records to my DNS zones, of which HE's DNS servers are secondary servers for the zones.
Title: Re: CAA records
Post by: universite on April 18, 2017, 09:36:17 PM
Vote yes +
Title: Re: CAA records
Post by: lasaine on April 19, 2017, 02:47:15 AM
Having a valid CAA record becomes mandatory in order to get a TLS certificate:
https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/

So I'd say it's time to reconsider the priority of adding this feature.
Title: Re: CAA records
Post by: royce on April 28, 2017, 08:02:00 AM
@kcochran, given the CA/B forum vote that @lasaine already cited, I'm working on a list of the status of provider CAA support here:

https://gist.github.com/roycewilliams/1710ade469c05eb0b090d268470aa741

Can you tell us whether there is an explicit feature request / RFE for CAA record support, and/or if there is an updated ETA from your post in January 2016?

[ Edit: fixed typo in handle for kcochran / @kcochran ]
Title: Re: CAA records
Post by: Gary P on May 05, 2017, 09:20:38 AM
After some digging it seems that the DNS server software he.net use has been updated to support CAA records, but it requires them to do a major version upgrade, so it is likely non-trivial.

I also have CAA records in my DNS zones that he.net secondary and would appreciate it if they update to a version of the server software that supports the record type.
Title: Re: CAA records
Post by: artturnip on May 18, 2017, 12:00:29 PM
I would also love to see support for DNS CAA records using Hurrican Electric DNS!
Title: Re: CAA records
Post by: patrikx3 on July 11, 2017, 03:25:57 AM
Vote yes +
Title: Re: CAA records
Post by: BasicXP on July 13, 2017, 03:18:37 PM
Agreed, this would be a nice feature to have. Honestly doesn't sound like a complicated thing to do. What would be great is to have customizable RR types, so there's no need to wait for each new type to be added.
Title: Re: CAA records
Post by: dhoepfl on July 27, 2017, 06:02:21 AM
In case you missed it: CAA is available now. ("Additional").
Title: Re: CAA records
Post by: fedux on August 02, 2017, 12:59:02 PM
According to the news page, it seems that CAA records have been implemented:

"CAA Record Support
 
We've added the CAA record type!
After many requests, we have completed the backend upgrades required to enable the CAA record type."

, however, when querying my slave zone I get SERVFAIL and the record is listed as TYPE257 instead of CAA.

Can anyone confirm that this is actually working?
Title: Re: CAA records
Post by: kcochran on August 02, 2017, 02:47:33 PM
257 is the CAA record number.  If it's showing up as "TYPE257" instead of "CAA", and therefore with the raw record data instead of a nicely formatted reply, that's a function of your DNS query client not supporting the record type.

As to the rest, email dnsadmin@he.net with the hostname you're seeing issues with.
Title: Re: CAA records
Post by: fedux on August 03, 2017, 01:14:47 AM
Quote from: kcochran on August 02, 2017, 02:47:33 PM
257 is the CAA record number.  If it's showing up as "TYPE257" instead of "CAA", and therefore with the raw record data instead of a nicely formatted reply, that's a function of your DNS query client not supporting the record type.

Yes, I know, but I'm talking about HE's web interface, my client is fine and also when querying my own master is fine.

Quote from: kcochran on August 02, 2017, 02:47:33 PM
As to the rest, email dnsadmin@he.net with the hostname you're seeing issues with.

Thanks, will do.