Page 1 of 2
Is it possible to add a CAA record for a domain?
Posted: Sun Mar 05, 2017 4:34 am
by baijianpeng
When I checking my domain with SSL Lab test, it says my domain has no "CAA record".
Then I Googled, and found that a CAA record is added via the domain's DNS manager.
But, I can not find a type of "CAA" on the DNS records adding page of VestaCP.
Is it possible to add a CAA record for a domain by VestaCP?
Thank you.
Re: Is it possible to add a CAA record for a domain?
Posted: Sun Mar 05, 2017 11:02 am
by skamasle
Not is posible yet from gui.
Re: Is it possible to add a CAA record for a domain?
Posted: Sun Mar 05, 2017 11:09 am
by baijianpeng
Do you mean that this can be done via CLi?
Re: Is it possible to add a CAA record for a domain?
Posted: Sun Mar 05, 2017 4:16 pm
by skamasle
Yes manually you can do it if your dns server versiĆ³n support it, but this changes been overwriten when you rebuild dns zone from vestacp
Re: Is it possible to add a CAA record for a domain?
Posted: Mon Mar 06, 2017 2:02 am
by baijianpeng
Ok, since I am not a pro about DNS server, I will not try that.
Hope VestaCP GUI will support CAA records soon.
Thank you.
Re: Is it possible to add a CAA record for a domain?
Posted: Tue Mar 07, 2017 9:39 am
by skurudo
Can I ask, how often this record is needed?
(for what I understand ;-)
Re: Is it possible to add a CAA record for a domain?
Posted: Tue Mar 07, 2017 11:08 am
by baijianpeng
Maybe it is only noticed when checking your HTTPS website with SSL Lab test.
Re: Is it possible to add a CAA record for a domain?
Posted: Tue Mar 07, 2017 11:09 am
by skurudo
baijianpeng wrote:Maybe it is only noticed when checking your HTTPS website with SSL Lab test.
It's counted with test? Really? ;)
Re: Is it possible to add a CAA record for a domain?
Posted: Sun May 28, 2017 3:12 am
by BBuchanan1013
skurudo wrote:baijianpeng wrote:Maybe it is only noticed when checking your HTTPS website with SSL Lab test.
It's counted with test? Really? ;)
It's about to be a mandated requirement with SSL that dns has a CAA record. It's another security step to actually verify that not only is the SSL Cert valid, but it belongs to the host serving it...and a bunch of other techno babble:
https://blog.qualys.com/ssllabs/2017/03 ... wser-forum
Re: Is it possible to add a CAA record for a domain?
Posted: Wed Jun 14, 2017 7:45 am
by cricsus
Here is a nice online tool to help you adding the record manually.
This might not be saved on backups tho, so u should backup your DNS config somewhere else either.
Link:
https://sslmate.com/labs/caa/
If you want to go a step further, you may also want to enable HPKP on your web server by following the following guide.
Link:
https://raymii.org/s/articles/HTTP_Publ ... _HPKP.html
However, a Man in The Middle (MITM) may be able to manipulate HTTP headers or even DNS records, so I don't see these methods as an exclusive security, just some precaution and hardening maybe.
By the way, if you have too many domain names and use the same CAs in them, you may want to write a simple script where u solely input the domain name and it does the rest for you.
Note: According to RFC 6844 you may set the flag to 0 or 128. 128 means no other CA than specified may issue (if CA supports CAA)