[cabfpub] CAA records on opera.com

Sigbjørn Vik sigbjorn at opera.com
Wed Jul 24 10:03:08 UTC 2013 

Hi,

Opera is now serving CAA records for opera.com.
http://dns-record-viewer.online-domain-tools.com seems to be one of few
online tools which verifies CAA records.

Comments from sysadmin after implementing CAA records:

It turns out that there's very little CAA
support in various authoritative DNS implementations:

* BIND 10 has it idly in their ticket tracker:
  http://bind10.isc.org/ticket/2512
* ldns (used by Unbound) will have it in the as-of-yet unreleased
  v1.6.17: http://www.nlnetlabs.nl/svn/ldns/trunk/Changelog
* PowerDNS has no support (including in HEAD).
* NSD has no support (including in trunk).

To get this up we could either
implement a simple DNS proxy/forwarder ourselves (not too hard), or
see if the trunk ldns support can be made to work with Unbound, and
then set up a simple Unbound instance that serves the CAA records,
while forwarding other queries to the true resolvers in our network.

I ended up adding CAA record support to the DNS toolkit we would use to
implement it, but then found a better (and less crazy)
way to implement it, by a small script generating the raw records, and
adding those.

Adding the records increased our
authoritative nameserver's DNS response from an already juicy 458 bytes to
supreme juicyness of 506 bytes (512 bytes is still somewhat of the limit,
at the very least resource usage will increase when topping that).

And besides, we've seen that before of course, and our TXT SPF record is
the main offender here, but 506 byte responses is probably on the
"winning" side when it comes to selecting authoritative DNS servers for
DNS amplification attacks.
Or spoken more generally: Maybe the CABForum should discuss
how eager the community is to add a potential massive load of additional
records to the root element of a zone/"domain".

If you use more than one CA for signing "https" certs, this can quickly
explode in size all on itself, without the help of SPF entries in the
zone. I'd guess this needs to be discussed.

-- 
Sigbjørn Vik
Opera Software

More information about the Public mailing list