CAA record support - Githubissues

ydns / bash-updater

YDNS Bash Updater Script

GNU General Public License v3.0

80 stars 43 forks source link

CAA record support #47

Closed virtual-machinist closed 7 years ago

virtual-machinist commented 7 years ago

I use Let's Encrypt free certificate authority. Recently they sent me an email, starting like

You are receiving this email because you have a Let's Encrypt certificate for a domain name that is currently failing CAA checks: https://tools.ietf.org/html/rfc6844 . Without a fix by your DNS provider, your certificate may fail its next renewal due to stricter CAA enforcement.

Is there any way to comply with their requirement? I imagine many ydns.io users have also set up free SSL this way.

rnhmjoj commented 7 years ago

I wonder what "may fail" means. You can't simply add it because it's a new type of record and ydns seems to only manage A, AAAA and TXT.

virtual-machinist commented 7 years ago

Yes, hence this issue. AFAIK CAA record support was added in PowerDNS last spring. If it's what ydns uses, it's a matter of exposing the record setting in the user interface.

rnhmjoj commented 7 years ago

@commx?

commx commented 7 years ago

Right, we're using PowerDNS. We recently switched to 4.x which introduced that record type. It's just a matter of adding that feature to the web UI, which could be done pretty quickly.

YDNS supports way more record types than just A, AAAA and TXT - the limitation is currently active for hosts only. For own domains, you can add way more record types via the "Records" management feature.

I'm seeing this mail from Let's Encrypt for the very first time. Looks like they're enforcing stricter rules for their certs from time to time; adding appropriate support for the CAA RR type on YDNS will follow soon. I'll keep you updated here.

commx commented 7 years ago

CAA support has been added with basic validation (for record management and hosts). Make sure content yields something like:

0 issue "ca.example.net"

If you encounter any problems with that, let me know.

rnhmjoj commented 7 years ago

Thank you! I tested it with ssltest and it's working.

virtual-machinist commented 7 years ago

dig @8.8.8.8 +short -t caa myhost.ydns.eu seems to report what I've entered through the UI as well. Thanks for a very fast response!

TamasSzerb commented 3 years ago

Anyone could elaborate how to add a CAA record? On UI I can't see it, neither in the updater. @commx?

commx commented 3 years ago

Anyone could elaborate how to add a CAA record? On UI I can't see it, neither in the updater. @commx?

If you have no host yet, create one (on the "My Hosts" page). Then click your host from the My Hosts page and click "Add Record" on the top. You can select CAA for the record type and the corresponding content.

I'm working on a simpler way to enable CAA records for hosts, but that's probably part of a larget set of updates.

TamasSzerb commented 3 years ago

Thank you @commx!

zalessky commented 3 years ago

@commx in the hosts section there is no more "add record" button at the top there is only a "delete" button how can you add a CAA record now?

commx commented 3 years ago

@zalessky the button was somehow not displayed anymore. It has been fixed now, thanks for reporting.