nanog mailing list archives

Re: DNS CAA records...

From: Mark Andrews <marka () isc org>
Date: Wed, 18 Jan 2017 14:39:02 +1100


Or use up-to-date code.  CAA support was added in BIND 9.8.8 (already
end of lifed), BIND 9.9.6, BIND 9.10.1 and BIND 9.11.0.

[rock:~/git/bind9] marka% dig caa google.com
;; BADCOOKIE, retrying.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> caa google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42490
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5f52c5d222feb5c9583cb70c587ee11a8f16c403c5fdbbd5 (good)
;; QUESTION SECTION:
;google.com.                    IN      CAA

;; ANSWER SECTION:
google.com.             86400   IN      CAA     0 issue "symantec.com"

;; Query time: 192 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 18 14:29:30 EST 2017
;; MSG SIZE  rcvd: 98

[rock:~/git/bind9] marka% 

Anyway this is a good real life example of how you can add new types
and have them be looked up without having to update the servers or
the clients.  "dig TYPE257 google.com" would have also worked.

Mark


In message <ae662f474afc41b184c821af0e38b5ac () RACKSPACE COM>, Nolan Berry writes:

So a quick look into this I see one potential real world example:


;; ANSWER SECTION:
google.com.        129    IN    A    216.58.218.142
google.com.        74411    IN    NS    ns4.google.com.
google.com.        74411    IN    NS    ns1.google.com.
google.com.        74411    IN    NS    ns2.google.com.
google.com.        74411    IN    NS    ns3.google.com.
google.com.        3054    IN    TXT    "v=spf1 include:_spf.google.com
~all"
google.com.        64    IN    AAAA    2607:f8b0:4000:802::200e
google.com.        54475    IN    TYPE257    \# 19
0005697373756573796D616E7465632E636F6D


In RFC 6844 section 7.1 it states


"IANA has assigned Resource Record Type 257 for the CAA Resource Record
Type"


and I am seeing:


google.com.        54475    IN    TYPE257    \# 19 0005697373756573796D616E7465632E636F6D



Nolan Berry

Linux Systems Engineer

DNS Engineering

Rackspace Hosting

________________________________
From: NANOG <nanog-bounces () nanog org> on behalf of Eric Tykwinski
<eric-list () truenet com>
Sent: Tuesday, January 17, 2017 6:04:31 PM
To: nanog list
Subject: DNS CAA records...

So I've come across this on Qualys and just wondering if there's any
practical examples out there in the wild.
I know some BIND guys are on here, so I'm sure I'm missing something from
the RFCs.
Just wanted to test this out on my play domains before putting it out in
the wild...

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

DNS CAA records... Eric Tykwinski (Jan 17)
- Re: DNS CAA records... Nolan Berry (Jan 17)
  - Re: DNS CAA records... Mark Andrews (Jan 17)
- Re: DNS CAA records... Royce Williams (Jan 17)
  - Re: DNS CAA records... Royce Williams (Jan 21)