Security

Reply
Highlighted
Accepted Solution

NIOS support for CAA records (RFC 6844)?

Authority
Posts: 25
13004     0

I was reading a post on the Qualys SSL Labs blog about CAA records the other day.

https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

 

It's a record type that basically allows domain owners to whitelist one or more Certificate Authorities as being authorized to generate certificates for that domain. Presumably a compliant CA provider will reject any certificate requests for that domain unless they check the CAA record and find themselves in the whitelist.

 

In any case, I'm running NIOS 8.1.1 in a lab environment and was hoping to play around with CAA records. But I can't seem to figure out how to generate one. Is it possible? The Add Record drop down list doesn't have it. But I'm wondering if there's a way to create a custom record type.

Re: NIOS support for CAA records (RFC 6844)?

Authority
Posts: 28
13005     0

Hello,

 

Thanks for describing your issue in detail. 

 

Unfortunately, the Support for CAA records has not been implemented in NIOS. I believe it is currently a feature request.

 

I would suggest to open a ticket with Support and they can help you find an existing Feature Request or create a new one and once you have the Feature Request number, you can contact your Accounts Team to prioritze the request.

 

 

Regards,

Anil

Re: NIOS support for CAA records (RFC 6844)?

Jaip
Techie
Posts: 1
13005     0

Hi,

 

this is supported by Infoblox, however they call it DANE (DNS-based Authentication of Named Entities).
This is supported since NIOS 8.0 I believe.

 

kind regards

Re: NIOS support for CAA records (RFC 6844)?

[ Edited ]
Authority
Posts: 25
13005     0

DANE is part of RFC 6698 and is indeed supported in Infoblox 8.x via the TLSA record type. However, it is different from CAA records and RFC 6844. In particular, DANE is dependent on DNSSEC if I'm not mistaken. CAA is not.

 

https://tools.ietf.org/html/rfc6698

https://tools.ietf.org/html/rfc6844

Re: NIOS support for CAA records (RFC 6844)?

verne
Techie
Posts: 12
13005     0

see

 

KB article #4183: Does NIOS support DNS CAA records?


Published 07/21/2015   |    Updated 02/10/2017 11:33 AM

 

it says

 

Infoblox has an open feature request (RFE-4537) to support on CAA record in future releases.

 

 

I asked my account team today to add me to that RFE ... maybe if lots of us show an interest, would that boost its priority ?

 

a GoDaddy blog post by one of their clients (actually talking about GoDaddy's support, or lack thereof, for CAA) mentions that client, in their 3rd party security audit, are starting to get pinged about not having CAA in place ...

 

so its no longer just an intellectual exercise but now has real world consequences.

Re: NIOS support for CAA records (RFC 6844)?

Posts: 1
13005     0

Hello,

 

Did you get information about feature request (RFE-4537) ? 

 

Thanks for the answer, we are waiting for that feature and we don't know in witch version will be available.

 

 

Re: NIOS support for CAA records (RFC 6844)?

Adviser
Posts: 73
13005     0

Hi All,

RFE-4537 - Support 'Certification Authority Authorization (CAA) DNS Resource Record'.

From what I read, this is tentatively targeted for NIOS version 8.3. 'Tentative' in the sense, there are chances that its implementation may be postponed to a further future release.

I would recommend opening a case with Infoblox Support, who can add your organization to the feature request and also provide you with your Infoblox account team info. Your Infoblox account team can infact help interface with Infoblox Product Management on your behalf and keep you up to date regarding the RFE consideration/progress.

Best Regards,
Bibin Thomas

Re: NIOS support for CAA records (RFC 6844)?

MattFahrner
Techie
Posts: 3
13005     0

Will hit up our rep, but anyone reading this - add us to the list of those wanting the feature.

Re: NIOS support for CAA records (RFC 6844)?

jsha
Techie
Posts: 1
13005     0

Hi! I'm a Let's Encrypt staffer, and wanted to add my 2c. In addition to the "support CAA" request, there's an additional, more urgent request: Handle unknown record types. Sites are not required to have a CAA record in order to issue certificates, but they should be able to answer NOERROR to such requests (per RFC 1035). Right now it seems that Infoblox will timeout when queried for any unknown record type (including CAA). This means that CAs cannot be certain whether there is a CAA record or not, which in general will prevent issuance.

 

The short-term, and hopefully smaller, fix would be to change Infoblox to return NOERROR for queries with unknown record types rather than timing out.

 

Thanks,

Jacob

Re: NIOS support for CAA records (RFC 6844)?

dougbeattie
Techie
Posts: 1
13005     0

I realize that setting CAA records is not currently possible, but it seems that when CAs request CAA records for domains they timeout.  Now that CAA lookups are required for SSL certificate issuance, this is causing certificate issuance to fail for some CAs.  Even a noerror response would be sufficient.  Can you consider this as anurgent fix as it's impacting some of your customers?

Re: NIOS support for CAA records (RFC 6844)?

verne
Techie
Posts: 12
13005     0

just noticed KB 6906

 

 

 

 

Certification Authority Authorization (CAA) DNS Resource Record
Published 08/08/2017   |    Updated 09/12/2017 12:30 PM

 

[...]

... you will be able to add the CAA records to our latest NIOS version(NIOS 7.3.15, 8.0.7, and 8.1.2) through nsupdate using the format as follows.

-bash-4.0# nsupdate
> server <server IP>
> update add <zone> 3600 CAA 0 issue "caa_information"
> send

 

 

 

I still am holding out for it to be added to the GUI

 

Re: NIOS support for CAA records (RFC 6844)?

[ Edited ]
Authority
Posts: 25
13005     0

I haven't tested it yet, but it should work for the time being until they get the fully baked support in place. Whoever wrote that KB could really use a spell checker though. Heh

Re: NIOS support for CAA records (RFC 6844)?

verne
Techie
Posts: 12
13005     0

Jacob --- when I query my Infoblox running v8.1.4, I do get an immediate NOERROR

 

is this the proper query (old DIG)

 

dig    google.com   type257

 

(to see an actual record) .... when I query names that do not have a CAA record, I get an immediate NOERROR back

 

Re: NIOS support for CAA records (RFC 6844)?

[ Edited ]
DFunk
Techie
Posts: 15
13005     0

Just to make sure everyone understands this (there is some confusion on who the requirement applies to):

 

CAA resource records are not a requirement imposed by CAs on users (domains) asking for a cert.  The requirement applies to CAs – they are required to check for the existence of CAA resource records before issuing a cert.  If the CAA resource records don’t exist, the CA will still issue the cert.

 

Obviously, users that employ certs should create the CAA records, as this would prevent malicious users from getting certs for domains that they don’t own, since the CA will check with the authoritative nameserver for the domain to see if it is allowed to issue the cert.

 

 

CAA RR support (RFE-4537) will be in NIOS 8.3, scheduled for November 2017 (was late October).

Showing results for 
Search instead for 
Do you mean 

Recommended for You