[cabfpub] CAA records on google.com

=JeffH Jeff.Hodges at KingsMountain.com
Fri Jul 12 15:49:18 MST 2013


Gerv asked:
 > On 19/06/13 13:10, Adam Langley wrote:
 >> google.com is now serving two CAA[1] records:
 >>
 >> $ dig +short -t TYPE257 google.com
 >> \# 19 0005697373756573796D616E7465632E636F6D
 >> \# 23 0009697373756577696C6473796D616E7465632E636F6D
 >>
 >> These correspond (I hope) to "issue" and "issuewild" records with a
 >> value of "symantec.com".
 >
 > I'm sure there's a good reason, but I can't find it in the RFC - why are
 > the values encoded in this opaque way?

Altho I'm sure you (AGL) double-checked, I decoded the above according to 
RFC6844 (CAA) (plus RFC3597 "Handling of Unknown DNS RR Types") and they indeed 
appear to be the proper format for CAA RDATA fields and are conveying this info..

  CAA   tag   CAA
flags lngth  tag        value
----- -----  ---        -----
00     05    issue      symantec.com
00     09    issuewild  symantec.com


According to RFC3597, one's zone file would have something akin to the following 
in order to convey the above information...

google.com.  ....
       IN    TYPE257   \# 19 0005697373756573796D616E7465632E636F6D
       IN    TYPE257   \# 23 0009697373756577696C6473796D616E7465632E636F6D

..assuming one's DNS server doesn't yet directly support handling of CAA records.

=JeffH



More information about the Public mailing list