We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Is it possible to add a CAA record for a domain?
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Is it possible to add a CAA record for a domain?
When I checking my domain with SSL Lab test, it says my domain has no "CAA record".
Then I Googled, and found that a CAA record is added via the domain's DNS manager.
But, I can not find a type of "CAA" on the DNS records adding page of VestaCP.
Is it possible to add a CAA record for a domain by VestaCP?
Thank you.
Then I Googled, and found that a CAA record is added via the domain's DNS manager.
But, I can not find a type of "CAA" on the DNS records adding page of VestaCP.
Is it possible to add a CAA record for a domain by VestaCP?
Thank you.
Re: Is it possible to add a CAA record for a domain?
Not is posible yet from gui.
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: Is it possible to add a CAA record for a domain?
Do you mean that this can be done via CLi?
Re: Is it possible to add a CAA record for a domain?
Yes manually you can do it if your dns server versión support it, but this changes been overwriten when you rebuild dns zone from vestacp
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: Is it possible to add a CAA record for a domain?
Ok, since I am not a pro about DNS server, I will not try that.
Hope VestaCP GUI will support CAA records soon.
Thank you.
Hope VestaCP GUI will support CAA records soon.
Thank you.
Re: Is it possible to add a CAA record for a domain?
Can I ask, how often this record is needed?
(for what I understand ;-)
(for what I understand ;-)
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: Is it possible to add a CAA record for a domain?
Maybe it is only noticed when checking your HTTPS website with SSL Lab test.
Re: Is it possible to add a CAA record for a domain?
It's counted with test? Really? ;)baijianpeng wrote:Maybe it is only noticed when checking your HTTPS website with SSL Lab test.
-
- Posts: 139
- Joined: Thu Jan 07, 2016 12:01 am
Re: Is it possible to add a CAA record for a domain?
It's about to be a mandated requirement with SSL that dns has a CAA record. It's another security step to actually verify that not only is the SSL Cert valid, but it belongs to the host serving it...and a bunch of other techno babble:skurudo wrote:It's counted with test? Really? ;)baijianpeng wrote:Maybe it is only noticed when checking your HTTPS website with SSL Lab test.
https://blog.qualys.com/ssllabs/2017/03 ... wser-forum
Re: Is it possible to add a CAA record for a domain?
Here is a nice online tool to help you adding the record manually.
This might not be saved on backups tho, so u should backup your DNS config somewhere else either.
Link: https://sslmate.com/labs/caa/
If you want to go a step further, you may also want to enable HPKP on your web server by following the following guide.
Link: https://raymii.org/s/articles/HTTP_Publ ... _HPKP.html
However, a Man in The Middle (MITM) may be able to manipulate HTTP headers or even DNS records, so I don't see these methods as an exclusive security, just some precaution and hardening maybe.
By the way, if you have too many domain names and use the same CAs in them, you may want to write a simple script where u solely input the domain name and it does the rest for you.
Note: According to RFC 6844 you may set the flag to 0 or 128. 128 means no other CA than specified may issue (if CA supports CAA)
This might not be saved on backups tho, so u should backup your DNS config somewhere else either.
Link: https://sslmate.com/labs/caa/
If you want to go a step further, you may also want to enable HPKP on your web server by following the following guide.
Link: https://raymii.org/s/articles/HTTP_Publ ... _HPKP.html
However, a Man in The Middle (MITM) may be able to manipulate HTTP headers or even DNS records, so I don't see these methods as an exclusive security, just some precaution and hardening maybe.
By the way, if you have too many domain names and use the same CAs in them, you may want to write a simple script where u solely input the domain name and it does the rest for you.
Note: According to RFC 6844 you may set the flag to 0 or 128. 128 means no other CA than specified may issue (if CA supports CAA)