Skip to content

Instantly share code, notes, and snippets.

@roycewilliams
Last active March 23, 2024 12:56
Show Gist options
  • Save roycewilliams/1710ade469c05eb0b090d268470aa741 to your computer and use it in GitHub Desktop.
Save roycewilliams/1710ade469c05eb0b090d268470aa741 to your computer and use it in GitHub Desktop.
CAA-adoption-notes.md

CAA Adoption Notes

CA/B mandate

The CA/Browser Forum has voted to mandate that CAs must start checking CAA records to control certificate issuance (to verify what CAs are allowed to issue certificates for a domain) by September 8th, 2017.

https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

Full language of the ballot is here.

For domain holders, not using CAA records implicitly allows any registrar to issue certificates for your domain (as long as their registration requirements are met).

Support by CAs

See https://sslmate.com/labs/caa/ for latest status of which CAs support CAA records. That page also has an introduction to CAA records, and a CAA record generator.

Support by DNS servers and hosting providers

CAA supported

CAA support requested (vote!)

CAA not yet supported, but planned

CAA not supported, and apparently not planned

  • eNom

CAA not yet supported, status unknown

CAA support status unknown (can you help?)

  • Afilias
  • BuddyNS
  • CDNetworks (BIND?)
  • DNS Made Easy
  • No-IP
  • NS1
  • PointHQ
  • UltraDNS
  • Verisign
  • ZoneEdit

Domain support

RFC 3597 syntax

  • RFC 3597 syntax (to add raw support for a new RR type even if not natively supported):

example.com. TYPE257 \# 8 000569737375653B

  • One-liner to convert from RFC 3597 to human-readable format (credit: Gervase Markham here, works with all raw RFC3597 TYPExxx records)

dig +short -t TYPE257 google.com | perl -nE '@x = split(); say map(chr, map { hex } ($x[2] =~ m/../g ))'

  • One-liner to convert from plain text to RFC 3597 format (credit: Henri in this thread):

perl -e '$_=shift;s/(.|\n)/printf("%02lx", ord $1)/eg;' 'your-text'

  • Linux one-liner:

echo -n 'your text' | xxd -p

Other references

@kuvam
Copy link

kuvam commented Jun 4, 2020

GeoScaling does not support CAA records as of the time of writing this.

@Andy-2639
Copy link

Andy-2639 commented Nov 11, 2023

@Andy-2639
Copy link

No-IP seems to support CAA: SSLMate/caa_helper#117

@azizarnold
Copy link

We at Hostking.host also support CAA Records via our Control Panel.

@Andy-2639
Copy link

No-IP is listed as CAA supported and CAA support status unknown (can you help?).
The entry in CAA support status unknown (can you help?) can be deleted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment