04-29-2017 12:41 PM
I was reading a post on the Qualys SSL Labs blog about CAA records the other day.
It's a record type that basically allows domain owners to whitelist one or more Certificate Authorities as being authorized to generate certificates for that domain. Presumably a compliant CA provider will reject any certificate requests for that domain unless they check the CAA record and find themselves in the whitelist.
In any case, I'm running NIOS 8.1.1 in a lab environment and was hoping to play around with CAA records. But I can't seem to figure out how to generate one. Is it possible? The Add Record drop down list doesn't have it. But I'm wondering if there's a way to create a custom record type.
Solved! Go to Solution.
05-08-2017 02:27 PM
Thanks for describing your issue in detail.
Unfortunately, the Support for CAA records has not been implemented in NIOS. I believe it is currently a feature request.
I would suggest to open a ticket with Support and they can help you find an existing Feature Request or create a new one and once you have the Feature Request number, you can contact your Accounts Team to prioritze the request.
05-17-2017 05:44 AM
this is supported by Infoblox, however they call it DANE (DNS-based Authentication of Named Entities).
This is supported since NIOS 8.0 I believe.
05-17-2017 11:16 AM - edited 05-17-2017 11:18 AM
08-18-2017 02:06 PM
KB article #4183: Does NIOS support DNS CAA records?
Published 07/21/2015 | Updated 02/10/2017 11:33 AM
Infoblox has an open feature request (RFE-4537) to support on CAA record in future releases.
I asked my account team today to add me to that RFE ... maybe if lots of us show an interest, would that boost its priority ?
a GoDaddy blog post by one of their clients (actually talking about GoDaddy's support, or lack thereof, for CAA) mentions that client, in their 3rd party security audit, are starting to get pinged about not having CAA in place ...
so its no longer just an intellectual exercise but now has real world consequences.
08-28-2017 03:04 PM
Did you get information about feature request (RFE-4537) ?
Thanks for the answer, we are waiting for that feature and we don't know in witch version will be available.
08-28-2017 04:43 PM
RFE-4537 - Support 'Certification Authority Authorization (CAA) DNS Resource Record'.
From what I read, this is tentatively targeted for NIOS version 8.3. 'Tentative' in the sense, there are chances that its implementation may be postponed to a further future release.
I would recommend opening a case with Infoblox Support, who can add your organization to the feature request and also provide you with your Infoblox account team info. Your Infoblox account team can infact help interface with Infoblox Product Management on your behalf and keep you up to date regarding the RFE consideration/progress.
09-07-2017 02:21 PM
Hi! I'm a Let's Encrypt staffer, and wanted to add my 2c. In addition to the "support CAA" request, there's an additional, more urgent request: Handle unknown record types. Sites are not required to have a CAA record in order to issue certificates, but they should be able to answer NOERROR to such requests (per RFC 1035). Right now it seems that Infoblox will timeout when queried for any unknown record type (including CAA). This means that CAs cannot be certain whether there is a CAA record or not, which in general will prevent issuance.
The short-term, and hopefully smaller, fix would be to change Infoblox to return NOERROR for queries with unknown record types rather than timing out.
09-13-2017 05:58 AM
I realize that setting CAA records is not currently possible, but it seems that when CAs request CAA records for domains they timeout. Now that CAA lookups are required for SSL certificate issuance, this is causing certificate issuance to fail for some CAs. Even a noerror response would be sufficient. Can you consider this as anurgent fix as it's impacting some of your customers?
09-13-2017 06:18 AM
just noticed KB 6906
Certification Authority Authorization (CAA) DNS Resource Record
Published 08/08/2017 | Updated 09/12/2017 12:30 PM
... you will be able to add the CAA records to our latest NIOS version(NIOS 7.3.15, 8.0.7, and 8.1.2) through nsupdate using the format as follows.
> server <server IP>
> update add <zone> 3600 CAA 0 issue "caa_information"
I still am holding out for it to be added to the GUI
09-13-2017 06:48 AM - edited 09-13-2017 06:49 AM
I haven't tested it yet, but it should work for the time being until they get the fully baked support in place. Whoever wrote that KB could really use a spell checker though. Heh
09-13-2017 06:51 AM
Jacob --- when I query my Infoblox running v8.1.4, I do get an immediate NOERROR
is this the proper query (old DIG)
dig google.com type257
(to see an actual record) .... when I query names that do not have a CAA record, I get an immediate NOERROR back
09-14-2017 09:21 AM - edited 09-21-2017 10:28 AM
Just to make sure everyone understands this (there is some confusion on who the requirement applies to):
CAA resource records are not a requirement imposed by CAs on users (domains) asking for a cert. The requirement applies to CAs – they are required to check for the existence of CAA resource records before issuing a cert. If the CAA resource records don’t exist, the CA will still issue the cert.
Obviously, users that employ certs should create the CAA records, as this would prevent malicious users from getting certs for domains that they don’t own, since the CA will check with the authoritative nameserver for the domain to see if it is allowed to issue the cert.
CAA RR support (RFE-4537) will be in NIOS 8.3, scheduled for November 2017 (was late October).