search

mail-in-a-box / mailinabox

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.
https://mailinabox.email/
Creative Commons Zero v1.0 Universal
13.87k stars 1.43k forks source link

auto add CAA dns record for domain controlled by the miab #1322

Open kimusan opened 6 years ago

kimusan commented 6 years ago

in https://github.com/mail-in-a-box/mailinabox/pull/1155 there was added support for CAA dns records (as they are now mandatory). It would be nice if these were automatically generated for the domains the miab control and where we already know the CAA is letsencrypt.

yodax commented 6 years ago

I think this should be technically possible. But we can only do it without using wildcards I think. Otherwise there would be side effects.

During the DNS update we could check if the cert is issued by LE and set the record? Or we could store the info in our db. not sure.

Side note: I thought I read a blog post where somebody tested if the "other" CA's respected the CAA entry. There were still some that didn't. (Shouldn't hinder us though)

myfirstnameispaul commented 5 years ago

I manually added CAA records for mail.example.com and www.mail.example.com:

0 issuewild "letsencrypt.org"

Qualys SSL Server Test reports the CAA records as working fine.

jvolkenant commented 5 years ago

This would be problematic if done automatically, since users might be prevented from getting ssl certs from other providers than Lets Encrypt for subdomains if CAA is automatically set to letsencrypt.org. i.e. if I wanted a RapidSSL for my website that I dont host on MIAB.

Instead, I would favor adding verbiage to the documentation that this can be done manually (and what it does/and potential problems)

dan-mcdonald commented 4 years ago

According to Lets Encrypt's page on CAA, the CAA records are not mandatory. However when there are no records the DNS server needs to respond with the NOERROR status. Looks like currently my miab DNS server is responding with SERVFAIL status in this case though.

Maybe we can sidestep the whole debate about which records to add and just "fix" the DNS response?

just4t commented 4 years ago

@dan-mcdonald Already reported long time ago but ignored by main developer at that time.

jvolkenant commented 4 years ago

According to Lets Encrypt's page on CAA, the CAA records are not mandatory. However when there are no records the DNS server needs to respond with the NOERROR status. Looks like currently my miab DNS server is responding with SERVFAIL status in this case though.

Maybe we can sidestep the whole debate about which records to add and just "fix" the DNS response?

Let's Encrypt's page on CAA says:

it only needs to reply with a NOERROR response for unknown query types (including CAA).

CAA is not an unknown qtype for NSD. NSD supports CAA types. https://github.com/NLnetLabs/nsd/blob/008b57dae87d835fc3922fe49b04693afb56ba07/doc/REQUIREMENTS#L877

It is correct that if you request an incorrect qtype you will get NOERROR. ''' root@m:~# dig @8.8.8.8 google.com ASDF | grep NOERROR ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53510 '''

A PR to add this info somewhere might be better than auto-adding CAA records. Users may want to bring their own SSL certs which MIAB supports. If CAA was auto set (via new install or existing install) and I tried to issue a cert from RapidSSL it would now fail. It would be advised to leave this up to each user to specify what their CAA records should be. Perhaps an addition to the documentation for this would be better.

There was also additional discussion on the forums on this topic: https://discourse.mailinabox.email/t/dns-problem-servfail-looking-up-caa/2552/2