[cabfpub] Checking CAA oneself

Erwann Abalea Erwann.Abalea at docusign.com
Thu Sep 22 16:55:54 UTC 2016


We also need more support from DNS servers.

For my domains, I host everything on the « Cloud », and register my domain names on Gandi, who is also my DNS service, with a nice web UI.
I wanted to add a CAA record for testing, but Gandi doesn’t support that. Amazon Route 53 doesn’t either. I looked for some documentation about Cloudflare DNS, dyn.com Managed DNS, GoDaddy, Microsoft Azure, EasyDNS, none of them seem to support CAA.
The only positive finding is that Google Cloud DNS supports CAA records with an easy to use UI.

I don’t want to have several dedicated machines with up to date Bind/NSD/whatever and a complicated config, just to be protected from erroneous DV certificates automatically delivered.

The fact that we still have to use « -t TYPE257 » on dig or host command or the equivalent « set type=TYPE257 » on nslookup to manually perform this query is not encouraging.

Cordialement,
Erwann Abalea

> Le 22 sept. 2016 à 17:40, Gervase Markham <gerv at mozilla.org> a écrit :
> 
> On 22/09/16 16:03, J.C. Jones wrote:
>> Pretty sure I got this from you at some point. :)
>> 
>> dig +short -t TYPE257 "$@" | perl -nE '@x = split(); say map(chr, map { hex } ($x[2] =~ m/../g ))'
> 
> Thanks everyone! And in return, here's an improved version which can
> deal with longer entries, like Comodo's:
> 
> dig +short -t TYPE257 "$@" | perl -nE '@x = split(); splice(@x, 0, 2);
> say map(chr, map { hex } (join("", @x) =~ m/../g ))'
> 
> It seems depressingly few domains deploy CAA, having checked a selection
> of famous ones. Perhaps we need more publicity for it.
> 
> Gerv
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 



More information about the Public mailing list