[cabfpub] CAA records on google.com
=JeffH
Jeff.Hodges at KingsMountain.com
Fri Jul 12 15:49:18 MST 2013
Gerv asked:
> On 19/06/13 13:10, Adam Langley wrote:
>> google.com is now serving two CAA[1] records:
>>
>> $ dig +short -t TYPE257 google.com
>> \# 19 0005697373756573796D616E7465632E636F6D
>> \# 23 0009697373756577696C6473796D616E7465632E636F6D
>>
>> These correspond (I hope) to "issue" and "issuewild" records with a
>> value of "symantec.com".
>
> I'm sure there's a good reason, but I can't find it in the RFC - why are
> the values encoded in this opaque way?
Altho I'm sure you (AGL) double-checked, I decoded the above according to
RFC6844 (CAA) (plus RFC3597 "Handling of Unknown DNS RR Types") and they indeed
appear to be the proper format for CAA RDATA fields and are conveying this info..
CAA tag CAA
flags lngth tag value
----- ----- --- -----
00 05 issue symantec.com
00 09 issuewild symantec.com
According to RFC3597, one's zone file would have something akin to the following
in order to convey the above information...
google.com. ....
IN TYPE257 \# 19 0005697373756573796D616E7465632E636F6D
IN TYPE257 \# 23 0009697373756577696C6473796D616E7465632E636F6D
..assuming one's DNS server doesn't yet directly support handling of CAA records.
=JeffH
More information about the Public
mailing list