Is it possible to add a CAA record for a domain?

baijianpeng · Post by **baijianpeng** » Sun Mar 05, 2017 4:34 am

When I checking my domain with SSL Lab test, it says my domain has no "CAA record".

Then I Googled, and found that a CAA record is added via the domain's DNS manager.

But, I can not find a type of "CAA" on the DNS records adding page of VestaCP.

Is it possible to add a CAA record for a domain by VestaCP?

Thank you.

Post by **skamasle** » Sun Mar 05, 2017 11:02 am

Not is posible yet from gui.

baijianpeng · Post by **baijianpeng** » Sun Mar 05, 2017 11:09 am

Do you mean that this can be done via CLi?

Post by **skamasle** » Sun Mar 05, 2017 4:16 pm

Yes manually you can do it if your dns server versión support it, but this changes been overwriten when you rebuild dns zone from vestacp

baijianpeng · Post by **baijianpeng** » Mon Mar 06, 2017 2:02 am

Ok, since I am not a pro about DNS server, I will not try that.

Hope VestaCP GUI will support CAA records soon.

Thank you.

Post by **skurudo** » Tue Mar 07, 2017 9:39 am

Can I ask, how often this record is needed?
(for what I understand ;-)

baijianpeng · Post by **baijianpeng** » Tue Mar 07, 2017 11:08 am

Maybe it is only noticed when checking your HTTPS website with SSL Lab test.

Post by **skurudo** » Tue Mar 07, 2017 11:09 am

baijianpeng wrote:Maybe it is only noticed when checking your HTTPS website with SSL Lab test.

It's counted with test? Really? ;)

BBuchanan1013 · Post by **BBuchanan1013** » Sun May 28, 2017 3:12 am

skurudo wrote:
baijianpeng wrote:Maybe it is only noticed when checking your HTTPS website with SSL Lab test.
It's counted with test? Really? ;)

It's about to be a mandated requirement with SSL that dns has a CAA record. It's another security step to actually verify that not only is the SSL Cert valid, but it belongs to the host serving it...and a bunch of other techno babble:
https://blog.qualys.com/ssllabs/2017/03 ... wser-forum

cricsus · Post by **cricsus** » Wed Jun 14, 2017 7:45 am

Here is a nice online tool to help you adding the record manually.
This might not be saved on backups tho, so u should backup your DNS config somewhere else either.

Link: https://sslmate.com/labs/caa/

If you want to go a step further, you may also want to enable HPKP on your web server by following the following guide.

Link: https://raymii.org/s/articles/HTTP_Publ ... _HPKP.html

However, a Man in The Middle (MITM) may be able to manipulate HTTP headers or even DNS records, so I don't see these methods as an exclusive security, just some precaution and hardening maybe.

By the way, if you have too many domain names and use the same CAs in them, you may want to write a simple script where u solely input the domain name and it does the rest for you.

Note: According to RFC 6844 you may set the flag to 0 or 128. 128 means no other CA than specified may issue (if CA supports CAA)

Vesta Control Panel - Forum

Is it possible to add a CAA record for a domain?

Is it possible to add a CAA record for a domain?

Re: Is it possible to add a CAA record for a domain?

Re: Is it possible to add a CAA record for a domain?

Re: Is it possible to add a CAA record for a domain?

Re: Is it possible to add a CAA record for a domain?

Re: Is it possible to add a CAA record for a domain?

Re: Is it possible to add a CAA record for a domain?

Re: Is it possible to add a CAA record for a domain?

Re: Is it possible to add a CAA record for a domain?

Re: Is it possible to add a CAA record for a domain?

Login • Register