CAA DNS records

Hello,

My choice for this too

Requirements: BIND ≥9.9.6. For BIND <9.9.6 should RFC 3597 Syntax be used. I hope this won't slow down implementation of the feature.
 
I propose a simple solution: check bind version and if it is higher or equal than 9.9.6 - show it, if not - do not display the text field...
 
BIND 9.9.5 is shipped with Debian 8
BIND 9.9.4 is shipped with CentOS 7

So what platform supported by Directadmin is shipped with 9.9.6?

Anyway let's see how much of us want this feature so that John would implement it.
 
It will be mandatory for the CAs to check for the record before issuing a new certificate. It's not mandatory for a domain to have CAA record. If you don't have, they will check it, find that you have noCAA record and then issue the certificate.
 
+1 on this,
Looks like letsencrypt now requires this, so the letsencrypt ssl feature is effectively broken on Debian.
 
According to https://sslmate.com/labs/caa/ Let's Encrypt will reject requests that don't comply with the CAA records. So we definitely need CAA support in Directadmin.

I think what that means is that if you have a CAA record and it doesn't say Let's Encrypt, then they will fail to issue the cert. If you don't have any CAA records then it it will still issue the cert.

Am I correct that CAA support is in the making:
https://www.directadmin.com/features.php?id=1932

Looks like it has made it in as a future feature, hopefully someone from DA can confirm.
 
So this requires bind 9.9.6? Since I do have the CAA option in DNS settings (after adding dns_caa=1 to directadmin.conf) but it doesn't appear to do anything

How do you update bind on centos7 to this version? yum still only shows 9.9.4 for me
 
Last edited:
You don't need to update anything. Redhat 7.3 added support for CAA records correctly and checking my Centos 6 and 7 systems it looks fine.

I see the records in the new format and can query them.

You should check that you don't have a custom template that is missing the CAA record. It took me a while the first time round to figure that out.

Check if usr/local/directadmin/data/templates/custom/name.db exists and needs to be fixed to include new record types.



So this requires bind 9.9.6? Since I do have the CAA option in DNS settings (after adding dns_caa=1 to directadmin.conf) but it doesn't appear to do anything

How do you update bind on centos7 to this version? yum still only shows 9.9.4 for me
 
Back
Top