Add support for CAA DNS records (type 257)

Royce Williams shared this idea 3 months ago
Open Discussion

As a server administrator I would like cPanel to provide support for CAA DNS records, to increase server security by defining which certificate authorities are authorized to issue certificates for my domain.

Best Answer
photo

Thanks for the suggestion! Currently, it looks like those records are only supported in PowerDNS 4.0+ and Bind 9.9.6:

https://doc.powerdns.com/md/types/#caa

ftp://ftp.isc.org/isc/bind/9.9.6/RELEASE-NOTES-BIND-9.9.6.txt

For Bind, we use the OS-provided version and CentOS 7 only ships with Bind 9.9.4. We currently ship PowerDNS 3.4. While upgrading the version of PowerDNS that we ship is an option, it's not one we've considered yet, and it's unknown how much development resources would be needed. At the very minimum it's non-trivial. Currently we don't see getting to this for a while, but as soon as we do we'll make sure to keep this in mind!

Comments (19)

photo
2

Thanks for the suggestion! Currently, it looks like those records are only supported in PowerDNS 4.0+ and Bind 9.9.6:

https://doc.powerdns.com/md/types/#caa

ftp://ftp.isc.org/isc/bind/9.9.6/RELEASE-NOTES-BIND-9.9.6.txt

For Bind, we use the OS-provided version and CentOS 7 only ships with Bind 9.9.4. We currently ship PowerDNS 3.4. While upgrading the version of PowerDNS that we ship is an option, it's not one we've considered yet, and it's unknown how much development resources would be needed. At the very minimum it's non-trivial. Currently we don't see getting to this for a while, but as soon as we do we'll make sure to keep this in mind!

photo
3

Benny, thanks! It's a good marker for an eventual future add.

That being said, it may be possible sooner. You can add arbitrary record types to BIND and NSD, using RFC 3597 syntax:

example.com.TYPE257\# 8 000569737375653B

And really, it would be a pretty great add, and allow early adopters to do all sorts of things quickly without feature requests, by adding support in the UI for adding custom DNS records types by number. That seems like a separate feature request to me; I will make that.

Part of my motivation is that the latest version of the Qualys SSL Labs Server test now checks for the existence of CAA records:

https://blog.qualys.com/ssllabs/2017/01/13/whats-new-ssl-labs-1-26-5

Note also that it's definitely a work in progress at the CA end of support. People can track progress here, and also learn about CAA generally:

https://sslmate.com/labs/caa/

Thanks again!

photo
1

This could be a feature that is only available with PowerDNS, as it already happens with DNSSEC.

I, like Royce, am very interested since Qualys now tests for a CAA record on the SSL test.

photo
1

Excellent idea. Would it be possible for BIND?

photo
1

Right now it's not likely, but that doesn't mean it won't be by the time we get to this request. It depends on too many factors to know for sure at this time.

photo
1

That better change as it was announced today SSL certificates will no longer be issued after September without this record. It's going to be a requirement during the validation process.

photo
1

wired420 - no, it's not a requirement for anyone to publish CAA - but it's mandatory for certificate authorities to actually look for them, and respect the CAA record.

In case no CAA is specified it's seen as "I allow everything"

photo
1

Its silly this is taking so long to add its not something new it was a proposed standard "Over 4 Years Ago" its sad but there are many CA's that issue bad certs and this is one step needed in helping with that issue. Still no word on a estimated time frame for getting CAA added?

photo
1

No updates yet, but it's on our radar for the next planning meeting. I'll be here as soon as there are.

photo
1

I really hope you guys are working on this. The future of the web is HTTPS and a very important next step that is missing from Cpanel's side at the moment is CAA records.

photo
2

The CA/Browser Forum has announced that CAA records will be mandated by September 2017.

https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

photo
2

A very important development indeed.

Hopefully this means cPanel is now able to treat this issue as being among the top priorities, since this would be a blocker if not implemented by the dateline.

As you’ve mentioned, RFC 3597 can be used to allow BIND to do this without having to worry about upgrading it to 9.9.6+.

photo
1

So this is becoming of high importance to implement, especially since we have AutoSSL and more and more websites with CPanel are now using Comodo and Let's Encrypts certs.

photo
4

Hey all! I just wanted to say that we saw the news, but haven't finalized anything internally yet. I'll be back with an update as soon as I have one.

photo
1

Time is closing quickly and after you get it done its going to take a good while for everyone to update so hope its almost done.

photo
2

For older PowerDNS and Bind versions you can specify unknown DNS record types accordingly to RFC 3597

photo
2

That's definitely be one potential solution.

photo
1

Come on guys and dolls, this may well be mandatory by September 2017

photo
1

Yup, we're keeping an eye on it.

Comments have been locked on this page!