Open kimusan opened 6 years ago
I think this should be technically possible. But we can only do it without using wildcards I think. Otherwise there would be side effects.
During the DNS update we could check if the cert is issued by LE and set the record? Or we could store the info in our db. not sure.
Side note: I thought I read a blog post where somebody tested if the "other" CA's respected the CAA entry. There were still some that didn't. (Shouldn't hinder us though)
I manually added CAA records for mail.example.com and www.mail.example.com:
0 issuewild "letsencrypt.org"
Qualys SSL Server Test reports the CAA records as working fine.
This would be problematic if done automatically, since users might be prevented from getting ssl certs from other providers than Lets Encrypt for subdomains if CAA is automatically set to letsencrypt.org. i.e. if I wanted a RapidSSL for my website that I dont host on MIAB.
Instead, I would favor adding verbiage to the documentation that this can be done manually (and what it does/and potential problems)
According to Lets Encrypt's page on CAA, the CAA records are not mandatory. However when there are no records the DNS server needs to respond with the NOERROR status. Looks like currently my miab DNS server is responding with SERVFAIL status in this case though.
Maybe we can sidestep the whole debate about which records to add and just "fix" the DNS response?
@dan-mcdonald Already reported long time ago but ignored by main developer at that time.
According to Lets Encrypt's page on CAA, the CAA records are not mandatory. However when there are no records the DNS server needs to respond with the NOERROR status. Looks like currently my miab DNS server is responding with SERVFAIL status in this case though.
Maybe we can sidestep the whole debate about which records to add and just "fix" the DNS response?
Let's Encrypt's page on CAA says:
it only needs to reply with a NOERROR response for unknown query types (including CAA).
CAA is not an unknown qtype for NSD. NSD supports CAA types. https://github.com/NLnetLabs/nsd/blob/008b57dae87d835fc3922fe49b04693afb56ba07/doc/REQUIREMENTS#L877
It is correct that if you request an incorrect qtype you will get NOERROR. ''' root@m:~# dig @8.8.8.8 google.com ASDF | grep NOERROR ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53510 '''
A PR to add this info somewhere might be better than auto-adding CAA records. Users may want to bring their own SSL certs which MIAB supports. If CAA was auto set (via new install or existing install) and I tried to issue a cert from RapidSSL it would now fail. It would be advised to leave this up to each user to specify what their CAA records should be. Perhaps an addition to the documentation for this would be better.
There was also additional discussion on the forums on this topic: https://discourse.mailinabox.email/t/dns-problem-servfail-looking-up-caa/2552/2
in https://github.com/mail-in-a-box/mailinabox/pull/1155 there was added support for CAA dns records (as they are now mandatory). It would be nice if these were automatically generated for the domains the miab control and where we already know the CAA is letsencrypt.