The CA/Browser Forum has voted to mandate that CAs must start checking CAA records to control certificate issuance (to verify what CAs are allowed to issue certificates for a domain) by September 8th, 2017.
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
Full language of the ballot is here.
For domain holders, not using CAA records implicitly allows any registrar to issue certificates for your domain (as long as their registration requirements are met).
See https://sslmate.com/labs/caa/ for latest status of which CAs support CAA records. That page also has an introduction to CAA records, and a CAA record generator.
- 1984 Hosting FreeDNS: https://www.1984hosting.com/product/freedns/
- Akamai FastDNS (RFC3597): https://bugzilla.mozilla.org/show_bug.cgi?id=882128#c64
- BIND (native): 9.8.8 (EOL), 9.9.6, 9.10.1, 9.11.0. https://mailman.nanog.org/pipermail/nanog/2017-January/089944.html, ftp://ftp.isc.org/isc/bind/9.9.6/RELEASE-NOTES-BIND-9.9.6.txt
- BIND (RFC3597): yes (date/version that support was added not yet known, but probably a looong time ago)
- DNSimple: https://blog.dnsimple.com/2017/01/introducing-caa-records/
- DYN : https://help.dyn.com/zone-records/#(CAA)
- Domains.co.za (in the control panel, but not publicy documented, per @phizev)
- FreeDNS (https://freedns.afraid.org/news/)
- Gandi LiveDNS: http://doc.livedns.gandi.net/#recordtype (thanks @rmarchant)
- Google Cloud DNS: https://cloud.google.com/dns/overview#supported_dns_record_types
- KnotDNS (commit here: https://gitlab.labs.nic.cz/labs/knot/commit/2dabc9b0294db84546024861a6201fb8e66ca5bb)
- NSD (RFC3597): yes (date/version that support was added not yet known)
- PowerDNS: https://doc.powerdns.com/md/types/#caa / PowerDNS/pdns#688
- Amazon Route 53: https://forums.aws.amazon.com/thread.jspa?threadID=236806 (thanks, @ruoho)
- cPanel: https://features.cpanel.net/topic/add-support-for-caa-dns-records-type-257
- Plesk: https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/17850958-implement-dns-certification-authority-authorizati
- Cloudflare ("it's in the works", per @grittygrease) - https://twitter.com/scott_helme/status/820364771518283779)
- ClouDNS ("We will support CAA records soon. Unfortunately, we cannot give any ETA.") - @phizev ticket 2017-05-18
- EasyDNS - "No timeline as of yet but we are looking at this much closer now." (per support note to @ansdell, 2017-04-28)
- Hurricane Electric ("Not currently supported by the backend, and their roadmap doesn't have it as a high priority." - kcochran, HE engineer, 2016-01-07) - https://forums.he.net/index.php?topic=3511.0
- iwantmyname ("cannot give an ETA yet" 2017-04-10) - https://twitter.com/mrgreatnews/status/851378801279778816
- Google Domains (?) (ref here: https://community.letsencrypt.org/t/how-to-add-caa-record/29195/9)
- Namecheap
- Rackspace Cloud DNS (per @ericcholis discussion with support)
- Afilias
- BuddyNS
- CDNetworks (BIND?)
- Digital Ocean
- DNS Made Easy
- GeoScaling
- No-IP
- NS1
- PointHQ
- UltraDNS
- Verisign
- ZoneEdit
- https://gist.github.com/roycewilliams/a5b2d26edf3b64ecf77a75f943de079f (scans.io data, 2016-12-31)
- http://seclists.org/nanog/2017/Jan/214 (zscan of Alexa top 1 million, 2017-01-17)
- CAA support is tracked in SSL Pulse as of April 2017 (ref: https://twitter.com/BhushanLokhande/status/850540499463266304)
- RFC 3597 syntax (to add raw support for a new RR type even if not natively supported):
example.com. TYPE257 \# 8 000569737375653B
- One-liner to convert from RFC 3597 to human-readable format (credit: Gervase Markham here, works with all raw RFC3457 TYPExxx records)
dig +short -t TYPE257 google.com | perl -nE '@x = split(); say map(chr, map { hex } ($x[2] =~ m/../g ))'
- One-liner to convert from plain text to RFC 3597 format (credit: Henri in this thread):
perl -e '$_=shift;s/(.|\n)/printf("%02lx", ord $1)/eg;' 'your-text'
- Linux one-liner:
echo -n 'your text' | xxd -p
- CAA records are defined in RFC 6844: https://tools.ietf.org/html/rfc6844
- CAA support is shown in Qualys SSL Labs test results: https://blog.qualys.com/ssllabs/2017/01/13/whats-new-ssl-labs-1-26-5
- Twitter thread: https://twitter.com/scott_helme/status/820364771518283779?lang=en
- Scott Helme blog post: https://scotthelme.co.uk/certificate-authority-authorization/
- Mattias Geniar blog post: https://ma.ttias.be/caa-checking-becomes-mandatory-ssltls-certificates/