CAA-adoption-notes.md

CAA-adoption-notes.md

CAA Adoption Notes

CA/B mandate

The CA/Browser Forum has voted to mandate that CAs must start checking CAA records to control certificate issuance (to verify what CAs are allowed to issue certificates for a domain) by September 8th, 2017.

https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

Full language of the ballot is here.

For domain holders, not using CAA records implicitly allows any registrar to issue certificates for your domain (as long as their registration requirements are met).

Support by CAs

See https://sslmate.com/labs/caa/ for latest status of which CAs support CAA records. That page also has an introduction to CAA records, and a CAA record generator.

Support by DNS servers and hosting providers

CAA supported

• 1984 Hosting FreeDNS: https://www.1984hosting.com/product/freedns/
• Active24: https://faq.active24.com/eng/068588-CAA-record---certification-authority-autorization (per Tomáš Hála, https://twitter.com/tomashala/status/899868444136534018)
• Akamai FastDNS (RFC3597): https://bugzilla.mozilla.org/show_bug.cgi?id=882128#c64
• Amazon Route 53: https://forums.aws.amazon.com/ann.jspa?annID=4799 (per @AGWA, https://twitter.com/__agwa/status/899757773050609664)
• • Original request thread: https://forums.aws.amazon.com/thread.jspa?threadID=236806 (thanks, @ruoho)
• BIND (native): 9.8.8 (EOL), 9.9.6, 9.10.1, 9.11.0. https://mailman.nanog.org/pipermail/nanog/2017-January/089944.html, ftp://ftp.isc.org/isc/bind/9.9.6/RELEASE-NOTES-BIND-9.9.6.txt
• BIND (RFC3597): yes (date/version that support was added not yet known, but probably a looong time ago)
• buddyns (per @Hello71)
• ClouDNS: https://www.cloudns.net/news/article/156/ (per @phizev)
• cPanel: https://features.cpanel.net/topic/add-support-for-caa-dns-records-type-257 "This is now public, and available in v66 in the CURRENT tier!" (thanks for shepherding this, benny@cpanel.net!)
• • documentation: https://www.cloudns.net/wiki/article/198/
• • original @phizev ticket 2017-05-18 - https://www.cloudns.net/news/article/156/
• deSEC: https://desec.readthedocs.io/en/latest/dns/rrsets.html#supported-types (thanks, @Andy-2369)
• Digital Ocean: https://www.digitalocean.com/community/tutorials/how-to-create-and-manage-caa-records-using-digitalocean-dns (per @spaze)
• DNSimple: https://blog.dnsimple.com/2017/01/introducing-caa-records/
• Domains.co.za (in the control panel, but not publicy documented, per @phizev)
• Dyn (https://help.dyn.com/zone-records/#(CAA))
• FreeDNS (https://freedns.afraid.org/news/)
• Gandi LiveDNS: http://doc.livedns.gandi.net/#recordtype (thanks @rmarchant)
• GoDaddy: https://www.godaddy.com/help/add-a-caa-record-27288
• Google Cloud DNS: https://cloud.google.com/dns/overview#supported_dns_record_types
• Hurricane Electric: (https://dns.he.net/) "Recent Additions - CAA Record Support - We've added the CAA record type! After many requests, we have completed the backend upgrades required to enable the CAA record type." (thanks, @10bass) (previous thread: https://forums.he.net/index.php?topic=3511.0)
• iwantmyname: https://help.iwantmyname.com/customer/en/portal/articles/2765180-do-you-support-caa-records- (not self-serve, support request required) (thanks, @10bass)
• IVECloud: https://ozone.ivecloud.co.za/index.php?rp=/knowledgebase/4191/How-to-Add-a-CAA-record-on-cPanel-Account.html (thanks, @kayla-dev)
• KnotDNS (commit here: https://gitlab.labs.nic.cz/labs/knot/commit/2dabc9b0294db84546024861a6201fb8e66ca5bb)
• Namecheap (in Basic and Advanced DNS, not Backup DNS): https://www.namecheap.com/support/knowledgebase/article.aspx/9991/38/caa-record-and-why-it-is-needed-ssl-related, https://www.namecheap.com/support/knowledgebase/article.aspx/535/51/what-type-of-dns-records-can-i-manage
• No-IP: https://www.noip.com/support/knowledgebase/adding-caa-records (thanks, @Andy-2369)
• NSD (RFC3597): yes (date/version that support was added not yet known)
• PowerDNS: https://doc.powerdns.com/md/types/#caa / PowerDNS/pdns#688

CAA support requested (vote!)

• Plesk: https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/17850958-implement-dns-certification-authority-authorizati

CAA not yet supported, but planned

• Cloudflare ("it's in the works", per @grittygrease) - https://twitter.com/scott_helme/status/820364771518283779); Now in beta: https://support.cloudflare.com/hc/en-us/articles/115000310792-Configuring-CAA-Records-
• EasyDNS - "No timeline as of yet but we are looking at this much closer now." (per support note to @ansdell, 2017-04-28)
• iwantmyname ("cannot give an ETA yet" 2017-04-10) - https://twitter.com/mrgreatnews/status/851378801279778816

CAA not supported, and apparently not planned

• eNom

CAA not yet supported, status unknown

• GeoScaling (as of 2021-03; thanks, @kuvam)
• Google Domains (?) (ref here: https://community.letsencrypt.org/t/how-to-add-caa-record/29195/9)
• Rackspace Cloud DNS (per @ericcholis discussion with support)

CAA support status unknown (can you help?)

• Afilias
• BuddyNS
• CDNetworks (BIND?)
• DNS Made Easy
• No-IP
• NS1
• PointHQ
• UltraDNS
• Verisign
• ZoneEdit

Domain support

• https://gist.github.com/roycewilliams/a5b2d26edf3b64ecf77a75f943de079f (scans.io data, 2016-12-31)
• http://seclists.org/nanog/2017/Jan/214 (zscan of Alexa top 1 million, 2017-01-17)
• CAA support is tracked in SSL Pulse as of April 2017 (ref: https://twitter.com/BhushanLokhande/status/850540499463266304)

RFC 3597 syntax

• RFC 3597 syntax (to add raw support for a new RR type even if not natively supported):

example.com. TYPE257 \# 8 000569737375653B

• One-liner to convert from RFC 3597 to human-readable format (credit: Gervase Markham here, works with all raw RFC3597 TYPExxx records)

dig +short -t TYPE257 google.com | perl -nE '@x = split(); say map(chr, map { hex } ($x[2] =~ m/../g ))'

• One-liner to convert from plain text to RFC 3597 format (credit: Henri in this thread):

perl -e '$_=shift;s/(.|\n)/printf("%02lx", ord $1)/eg;' 'your-text'

• Linux one-liner:

echo -n 'your text' | xxd -p

Other references

• CAA records are defined in RFC 6844: https://tools.ietf.org/html/rfc6844
• CAA support is shown in Qualys SSL Labs test results: https://blog.qualys.com/ssllabs/2017/01/13/whats-new-ssl-labs-1-26-5
• Twitter thread: https://twitter.com/scott_helme/status/820364771518283779?lang=en
• Scott Helme blog post: https://scotthelme.co.uk/certificate-authority-authorization/
• Mattias Geniar blog post: https://ma.ttias.be/caa-checking-becomes-mandatory-ssltls-certificates/

I contacted ClouDNS earlier today on their CAA support, CAA records are not currently supported, but they plan to, quote from support:

We will support CAA records soon. Unfortunately, we cannot give any ETA.

Domains.co.za has the CAA record type available in their control panel, I can't find publicly available documentation of this feature.

@phizev - updated, thanks!

Dyn Managed DNS added support without announcement (I am user). One day I was Google searching and saw they have documentation on Help > Zones. I added that on my forked version with their help page's link.

@AbhishekGhosh Good catch - updated, thanks!

buddyns supports CAA:

$ dig alxu.ca caa @b.ns.buddyns.com +short
128 issue "letsencrypt.org"

@roycewilliams Thank you for doing this.
ClouDNS have added CAA support as per their announcement, they also have it covered in their documentation.
As an addendum, I just checked my Digital Ocean control panel, and the CAA record type is not listed, please see image below:

@Hello71, @phizev, @AGWA - thanks, updated!

Is the RFC number here a typo (under "RFC 3597 syntax"):

...works with all raw RFC3457 TYPExxx records...

Hurricane Electric now supports CAA records - on their site under 'Recent Additions', and verified working with my own account & SSL Labs testing. Thank you for tracking these.

@C4llumD - good catch, fixed, thanks!

@10bass - updated - thanks!

It looks like iwantmyname has added support, but currently requires a support request to add the records: support center article

@10bass - copy that, added - thanks!

Namecheap says "we are planning to implement CAA records[...], yet there is no ETA for this at the moment."

Digital Ocean seems to support CAA now: How To Create and Manage CAA Records Using DigitalOcean DNS

@wolfgang42, @spaze - updated, thanks!

123domain.eu also supports CAA records

core-networks.de supports CAA too.

igloonet.cz supports CAA too.

ZoneEdit is working on it but no estimate other than "soon" given.

http://forum.zoneedit.com/index.php?threads/is-caa-supported-on-zoneedit.6093/

easyDNS now supports CAA: https://www.easydns.com/blog/2017/09/21/caa-records-now-enabled/

Doing some investigations - I looked at this site to generate CAA records: https://sslmate.com/caa/

I can't get any of the output of the one liners to match the output of its RFC 3597 output.

Is there any way to verify this?

Linode has quietly added support for adding CAA records, but unfortunately there's no blog post. You can see it at the bottom of a zone in the DNS Manager.

Azure DNS also plans this: https://feedback.azure.com/forums/217313-networking/suggestions/18474796-add-caa-record

SSLMate has what appears to be a fairly comprehensive list of DNS providers supporting CAA:
https://sslmate.com/caa/support

GeoScaling does not support CAA records as of the time of writing this.

IVECloud also supports CAA: https://ozone.ivecloud.co.za/index.php?rp=/knowledgebase/4191/How-to-Add-a-CAA-record-on-cPanel-Account.html

deSEC supports CAA: https://desec.readthedocs.io/en/latest/dns/rrsets.html#supported-types

No-IP seems to support CAA: SSLMate/caa_helper#117

We at Hostking.host also support CAA Records via our Control Panel.

No-IP is listed as CAA supported and CAA support status unknown (can you help?).
The entry in CAA support status unknown (can you help?) can be deleted.