Add support for CAA DNS records (type 257)

Royce Williams shared this idea 5 months ago
Open Discussion

As a server administrator I would like cPanel to provide support for CAA DNS records, to increase server security by defining which certificate authorities are authorized to issue certificates for my domain.

Best Answer
photo

One of our feature teams has been working on getting this added to the Zone Editor. It's currently aimed for version 68, since we have already completed feature development for version 66. Our goal is to backport the updates to version 66, allowing users to have this as part of the zone editor before the mandatory verification of any existing CAA records comes into play. There are many potential technical limitations to that, however, so I can't make any promises at this time. If you have questions, feel free to let me know!

Comments (21)

photo
2

Thanks for the suggestion! Currently, it looks like those records are only supported in PowerDNS 4.0+ and Bind 9.9.6:

https://doc.powerdns.com/md/types/#caa

ftp://ftp.isc.org/isc/bind/9.9.6/RELEASE-NOTES-BIND-9.9.6.txt

For Bind, we use the OS-provided version and CentOS 7 only ships with Bind 9.9.4. We currently ship PowerDNS 3.4. While upgrading the version of PowerDNS that we ship is an option, it's not one we've considered yet, and it's unknown how much development resources would be needed. At the very minimum it's non-trivial. Currently we don't see getting to this for a while, but as soon as we do we'll make sure to keep this in mind!

photo
3

Benny, thanks! It's a good marker for an eventual future add.

That being said, it may be possible sooner. You can add arbitrary record types to BIND and NSD, using RFC 3597 syntax:

example.com.TYPE257\# 8 000569737375653B

And really, it would be a pretty great add, and allow early adopters to do all sorts of things quickly without feature requests, by adding support in the UI for adding custom DNS records types by number. That seems like a separate feature request to me; I will make that.

Part of my motivation is that the latest version of the Qualys SSL Labs Server test now checks for the existence of CAA records:

https://blog.qualys.com/ssllabs/2017/01/13/whats-new-ssl-labs-1-26-5

Note also that it's definitely a work in progress at the CA end of support. People can track progress here, and also learn about CAA generally:

https://sslmate.com/labs/caa/

Thanks again!

photo
1

This could be a feature that is only available with PowerDNS, as it already happens with DNSSEC.

I, like Royce, am very interested since Qualys now tests for a CAA record on the SSL test.

photo
1

Excellent idea. Would it be possible for BIND?

photo
1

Right now it's not likely, but that doesn't mean it won't be by the time we get to this request. It depends on too many factors to know for sure at this time.

photo
1

That better change as it was announced today SSL certificates will no longer be issued after September without this record. It's going to be a requirement during the validation process.

photo
1

wired420 - no, it's not a requirement for anyone to publish CAA - but it's mandatory for certificate authorities to actually look for them, and respect the CAA record.

In case no CAA is specified it's seen as "I allow everything"

photo
1

Its silly this is taking so long to add its not something new it was a proposed standard "Over 4 Years Ago" its sad but there are many CA's that issue bad certs and this is one step needed in helping with that issue. Still no word on a estimated time frame for getting CAA added?

photo
1

No updates yet, but it's on our radar for the next planning meeting. I'll be here as soon as there are.

photo
1

I really hope you guys are working on this. The future of the web is HTTPS and a very important next step that is missing from Cpanel's side at the moment is CAA records.

photo
2

The CA/Browser Forum has announced that CAA records will be mandated by September 2017.

https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

photo
2

A very important development indeed.

Hopefully this means cPanel is now able to treat this issue as being among the top priorities, since this would be a blocker if not implemented by the dateline.

As you’ve mentioned, RFC 3597 can be used to allow BIND to do this without having to worry about upgrading it to 9.9.6+.

photo
1

So this is becoming of high importance to implement, especially since we have AutoSSL and more and more websites with CPanel are now using Comodo and Let's Encrypts certs.

photo
4

Hey all! I just wanted to say that we saw the news, but haven't finalized anything internally yet. I'll be back with an update as soon as I have one.

photo
1

Time is closing quickly and after you get it done its going to take a good while for everyone to update so hope its almost done.

photo
2

For older PowerDNS and Bind versions you can specify unknown DNS record types accordingly to RFC 3597

photo
2

That's definitely be one potential solution.

photo
1

Come on guys and dolls, this may well be mandatory by September 2017

photo
1

Yup, we're keeping an eye on it.

photo
1

Just a quick update and clarification: one of our feature teams will hopefully be evaluating getting CAA records added to the Zone Editor soon.

Just to clarify one point, to make sure everyone's on the same page: the CAA entries being in the zone files will not be mandatory in September, but CAs checking and verifying any CAA zone entries may be required.

I'll update again as soon as there are any further developments!

photo
1

One of our feature teams has been working on getting this added to the Zone Editor. It's currently aimed for version 68, since we have already completed feature development for version 66. Our goal is to backport the updates to version 66, allowing users to have this as part of the zone editor before the mandatory verification of any existing CAA records comes into play. There are many potential technical limitations to that, however, so I can't make any promises at this time. If you have questions, feel free to let me know!

Comments have been locked on this page!