Is it possible to add a CAA record for a domain?

Questions regarding the DNS Server
BIND
baijianpeng
Posts: 289
Joined: Tue Dec 22, 2015 2:06 pm

Is it possible to add a CAA record for a domain?

Postby baijianpeng » Sun Mar 05, 2017 4:34 am

When I checking my domain with SSL Lab test, it says my domain has no "CAA record".

Then I Googled, and found that a CAA record is added via the domain's DNS manager.

But, I can not find a type of "CAA" on the DNS records adding page of VestaCP.

Is it possible to add a CAA record for a domain by VestaCP?

Thank you.

skamasle
Collaborator
Posts: 360
Joined: Mon Feb 29, 2016 6:36 pm

Re: Is it possible to add a CAA record for a domain?

Postby skamasle » Sun Mar 05, 2017 11:02 am

Not is posible yet from gui.

baijianpeng
Posts: 289
Joined: Tue Dec 22, 2015 2:06 pm

Re: Is it possible to add a CAA record for a domain?

Postby baijianpeng » Sun Mar 05, 2017 11:09 am

Do you mean that this can be done via CLi?

skamasle
Collaborator
Posts: 360
Joined: Mon Feb 29, 2016 6:36 pm

Re: Is it possible to add a CAA record for a domain?

Postby skamasle » Sun Mar 05, 2017 4:16 pm

Yes manually you can do it if your dns server versión support it, but this changes been overwriten when you rebuild dns zone from vestacp

baijianpeng
Posts: 289
Joined: Tue Dec 22, 2015 2:06 pm

Re: Is it possible to add a CAA record for a domain?

Postby baijianpeng » Mon Mar 06, 2017 2:02 am

Ok, since I am not a pro about DNS server, I will not try that.

Hope VestaCP GUI will support CAA records soon.

Thank you.

skurudo
VestaCP Team
Posts: 7783
Joined: Fri Dec 26, 2014 2:23 pm
Location: Moscow
Contact:

Re: Is it possible to add a CAA record for a domain?

Postby skurudo » Tue Mar 07, 2017 9:39 am

Can I ask, how often this record is needed?
(for what I understand ;-)
-> DigitalOcean competition - please, support us
-> fix for phpmyadmin - nice and sweet now

baijianpeng
Posts: 289
Joined: Tue Dec 22, 2015 2:06 pm

Re: Is it possible to add a CAA record for a domain?

Postby baijianpeng » Tue Mar 07, 2017 11:08 am

Maybe it is only noticed when checking your HTTPS website with SSL Lab test.

skurudo
VestaCP Team
Posts: 7783
Joined: Fri Dec 26, 2014 2:23 pm
Location: Moscow
Contact:

Re: Is it possible to add a CAA record for a domain?

Postby skurudo » Tue Mar 07, 2017 11:09 am

baijianpeng wrote:Maybe it is only noticed when checking your HTTPS website with SSL Lab test.


It's counted with test? Really? ;)
-> DigitalOcean competition - please, support us
-> fix for phpmyadmin - nice and sweet now

BBuchanan1013
Posts: 139
Joined: Thu Jan 07, 2016 12:01 am

Re: Is it possible to add a CAA record for a domain?

Postby BBuchanan1013 » Sun May 28, 2017 3:12 am

skurudo wrote:
baijianpeng wrote:Maybe it is only noticed when checking your HTTPS website with SSL Lab test.


It's counted with test? Really? ;)


It's about to be a mandated requirement with SSL that dns has a CAA record. It's another security step to actually verify that not only is the SSL Cert valid, but it belongs to the host serving it...and a bunch of other techno babble:
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

cricsus
Posts: 1
Joined: Wed Jun 14, 2017 7:16 am

Re: Is it possible to add a CAA record for a domain?

Postby cricsus » Wed Jun 14, 2017 7:45 am

Here is a nice online tool to help you adding the record manually.
This might not be saved on backups tho, so u should backup your DNS config somewhere else either.

Link: https://sslmate.com/labs/caa/

If you want to go a step further, you may also want to enable HPKP on your web server by following the following guide.

Link: https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html

However, a Man in The Middle (MITM) may be able to manipulate HTTP headers or even DNS records, so I don't see these methods as an exclusive security, just some precaution and hardening maybe.

By the way, if you have too many domain names and use the same CAs in them, you may want to write a simple script where u solely input the domain name and it does the rest for you.

Note: According to RFC 6844 you may set the flag to 0 or 128. 128 means no other CA than specified may issue (if CA supports CAA)


Return to “DNS Server”



Who is online

Users browsing this forum: No registered users and 2 guests