Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CAA-adoption-notes.md

CAA Adoption Notes

CA/B mandate

The CA/Browser Forum has voted to mandate that CAs must start checking CAA records to control certificate issuance (to verify what CAs are allowed to issue certificates for a domain) by September 8th, 2017.

https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

Full language of the ballot is here.

For domain holders, not using CAA records implicitly allows any registrar to issue certificates for your domain (as long as their registration requirements are met).

Support by CAs

See https://sslmate.com/labs/caa/ for latest status of which CAs support CAA records. That page also has an introduction to CAA records, and a CAA record generator.

Support by DNS servers and hosting providers

CAA supported

CAA support requested (vote!)

CAA not yet supported, but planned

CAA not yet supported, status unknown

CAA support status unknown (can you help?)

  • Afilias
  • BuddyNS
  • CDNetworks (BIND?)
  • DNS Made Easy
  • GeoScaling
  • No-IP
  • NS1
  • PointHQ
  • UltraDNS
  • Verisign
  • ZoneEdit

Domain support

RFC 3597 syntax

  • RFC 3597 syntax (to add raw support for a new RR type even if not natively supported):

example.com. TYPE257 \# 8 000569737375653B

  • One-liner to convert from RFC 3597 to human-readable format (credit: Gervase Markham here, works with all raw RFC3597 TYPExxx records)

dig +short -t TYPE257 google.com | perl -nE '@x = split(); say map(chr, map { hex } ($x[2] =~ m/../g ))'

  • One-liner to convert from plain text to RFC 3597 format (credit: Henri in this thread):

perl -e '$_=shift;s/(.|\n)/printf("%02lx", ord $1)/eg;' 'your-text'

  • Linux one-liner:

echo -n 'your text' | xxd -p

Other references

@ruoho

This comment has been minimized.

Copy link

ruoho commented Apr 9, 2017

Amazon's Route 53 should be added to CAA Support Requested:

https://forums.aws.amazon.com/thread.jspa?threadID=236806

@ericcholis

This comment has been minimized.

Copy link

ericcholis commented Apr 10, 2017

Rackspace Cloud DNS does not support CAA. Confirmed via chat with a support representative. No mention of plans to implement it.

@rmarchant

This comment has been minimized.

Copy link

rmarchant commented Apr 10, 2017

Gandi LiveDNS supports CAA records : http://doc.livedns.gandi.net/#recordtype

@tialaramex

This comment has been minimized.

Copy link

tialaramex commented Apr 11, 2017

Probably this text should start out by mentioning the consequence of doing nothing (since that's the default). If you have no CAA records then you implicitly permit any CA to issue for your names [subject to validation etc. etc.]. This might be what you want. If you're not sure what you want, it probably is what you want, hence fine.

@roycewilliams

This comment has been minimized.

Copy link
Owner Author

roycewilliams commented Apr 11, 2017

@tialaramex, I'll add a little bit about that. That being said, other articles and blog posts have done a good job of introducing the CAA concept to the uninitiated, and my goal with this gist is to inform practitioners who already understand the basics.

@roycewilliams

This comment has been minimized.

Copy link
Owner Author

roycewilliams commented Apr 28, 2017

Also, @ruoho @ericcholis, @rmarchant - thanks for the adds, merged!

@ansdell

This comment has been minimized.

Copy link

ansdell commented Apr 29, 2017

I think EasyDNS is not yet supported, but planned. A support response on 20170428:
"No timeline as of yet but we are looking at this much closer now. "

@roycewilliams

This comment has been minimized.

Copy link
Owner Author

roycewilliams commented May 3, 2017

@ansdell - thanks, added!

@Ayesh

This comment has been minimized.

Copy link

Ayesh commented May 6, 2017

afraid.org FreeDNS now supports CAA: https://freedns.afraid.org/news/

@roycewilliams

This comment has been minimized.

Copy link
Owner Author

roycewilliams commented May 6, 2017

@Ayesh, added - thanks!

@phizev

This comment has been minimized.

Copy link

phizev commented May 17, 2017

I contacted ClouDNS earlier today on their CAA support, CAA records are not currently supported, but they plan to, quote from support:

We will support CAA records soon. Unfortunately, we cannot give any ETA.

Domains.co.za has the CAA record type available in their control panel, I can't find publicly available documentation of this feature.

@roycewilliams

This comment has been minimized.

Copy link
Owner Author

roycewilliams commented May 21, 2017

@phizev - updated, thanks!

@AbhishekGhosh

This comment has been minimized.

Copy link

AbhishekGhosh commented Jun 14, 2017

Dyn Managed DNS added support without announcement (I am user). One day I was Google searching and saw they have documentation on Help > Zones. I added that on my forked version with their help page's link.

@roycewilliams

This comment has been minimized.

Copy link
Owner Author

roycewilliams commented Jun 14, 2017

@AbhishekGhosh Good catch - updated, thanks!

@Hello71

This comment has been minimized.

Copy link

Hello71 commented Jun 14, 2017

buddyns supports CAA:

$ dig alxu.ca caa @b.ns.buddyns.com +short
128 issue "letsencrypt.org"
@phizev

This comment has been minimized.

Copy link

phizev commented Jun 26, 2017

@roycewilliams Thank you for doing this.
ClouDNS have added CAA support as per their announcement, they also have it covered in their documentation.
As an addendum, I just checked my Digital Ocean control panel, and the CAA record type is not listed, please see image below:
cloudns-dns-record-types

@roycewilliams

This comment has been minimized.

Copy link
Owner Author

roycewilliams commented Jul 16, 2017

@Hello71, @phizev, @AGWA - thanks, updated!

@C4llumD

This comment has been minimized.

Copy link

C4llumD commented Aug 16, 2017

Is the RFC number here a typo (under "RFC 3597 syntax"):

...works with all raw RFC3457 TYPExxx records...

@10bass

This comment has been minimized.

Copy link

10bass commented Aug 16, 2017

Hurricane Electric now supports CAA records - on their site under 'Recent Additions', and verified working with my own account & SSL Labs testing. Thank you for tracking these.

@roycewilliams

This comment has been minimized.

Copy link
Owner Author

roycewilliams commented Aug 22, 2017

@C4llumD - good catch, fixed, thanks!

@10bass - updated - thanks!

@10bass

This comment has been minimized.

Copy link

10bass commented Aug 22, 2017

It looks like iwantmyname has added support, but currently requires a support request to add the records: support center article

@roycewilliams

This comment has been minimized.

Copy link
Owner Author

roycewilliams commented Aug 23, 2017

@10bass - copy that, added - thanks!

@wolfgang42

This comment has been minimized.

Copy link

wolfgang42 commented Sep 8, 2017

Namecheap says "we are planning to implement CAA records[...], yet there is no ETA for this at the moment."

@spaze

This comment has been minimized.

Copy link

spaze commented Sep 9, 2017

Digital Ocean seems to support CAA now: How To Create and Manage CAA Records Using DigitalOcean DNS

@roycewilliams

This comment has been minimized.

Copy link
Owner Author

roycewilliams commented Sep 10, 2017

@wolfgang42, @spaze - updated, thanks!

@timscha

This comment has been minimized.

Copy link

timscha commented Sep 11, 2017

123domain.eu also supports CAA records

@mi-sc

This comment has been minimized.

Copy link

mi-sc commented Sep 11, 2017

core-networks.de supports CAA too.

@kepi

This comment has been minimized.

Copy link

kepi commented Sep 17, 2017

igloonet.cz supports CAA too.

@blunden

This comment has been minimized.

Copy link

blunden commented Sep 20, 2017

ZoneEdit is working on it but no estimate other than "soon" given.

http://forum.zoneedit.com/index.php?threads/is-caa-supported-on-zoneedit.6093/

@10bass

This comment has been minimized.

Copy link

10bass commented Sep 25, 2017

@CRCinAU

This comment has been minimized.

Copy link

CRCinAU commented Oct 6, 2017

Doing some investigations - I looked at this site to generate CAA records: https://sslmate.com/caa/

I can't get any of the output of the one liners to match the output of its RFC 3597 output.

Is there any way to verify this?

@ancarda

This comment has been minimized.

Copy link

ancarda commented Oct 18, 2017

Linode has quietly added support for adding CAA records, but unfortunately there's no blog post. You can see it at the bottom of a zone in the DNS Manager.

@bviktor

This comment has been minimized.

@phizev

This comment has been minimized.

Copy link

phizev commented Aug 18, 2018

SSLMate has what appears to be a fairly comprehensive list of DNS providers supporting CAA:
https://sslmate.com/caa/support

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.