Re: DNS CAA records...

2017-01-17 Thread Mark Andrews 

Or use up-to-date code.  CAA support was added in BIND 9.8.8 (already
end of lifed), BIND 9.9.6, BIND 9.10.1 and BIND 9.11.0.

[rock:~/git/bind9] marka% dig caa google.com
;; BADCOOKIE, retrying.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> caa google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42490
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5f52c5d222feb5c9583cb70c587ee11a8f16c403c5fdbbd5 (good)
;; QUESTION SECTION:
;google.com.IN  CAA

;; ANSWER SECTION:
google.com. 86400   IN  CAA 0 issue "symantec.com"

;; Query time: 192 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 18 14:29:30 EST 2017
;; MSG SIZE  rcvd: 98

[rock:~/git/bind9] marka% 

Anyway this is a good real life example of how you can add new types
and have them be looked up without having to update the servers or
the clients.  "dig TYPE257 google.com" would have also worked.

Mark


In message <ae662f474afc41b184c821af0e38b...@rackspace.com>, Nolan Berry writes:
> So a quick look into this I see one potential real world example:
>
>
> ;; ANSWER SECTION:
> google.com.129INA216.58.218.142
> google.com.74411INNSns4.google.com.
> google.com.74411INNSns1.google.com.
> google.com.74411INNSns2.google.com.
> google.com.74411INNSns3.google.com.
> google.com.3054INTXT"v=spf1 include:_spf.google.com
> ~all"
> google.com.64IN2607:f8b0:4000:802::200e
> google.com.54475INTYPE257\# 19
> 0005697373756573796D616E7465632E636F6D
>
>
> In RFC 6844 section 7.1 it states
>
>
> "IANA has assigned Resource Record Type 257 for the CAA Resource Record
> Type"
>
>
> and I am seeing:
>
>
> google.com.54475INTYPE257\# 19 
> 0005697373756573796D616E7465632E636F6D
>
>
>
> Nolan Berry
>
> Linux Systems Engineer
>
> DNS Engineering
>
> Rackspace Hosting
>
> ____________
> From: NANOG <nanog-boun...@nanog.org> on behalf of Eric Tykwinski
> <eric-l...@truenet.com>
> Sent: Tuesday, January 17, 2017 6:04:31 PM
> To: nanog list
> Subject: DNS CAA records...
>
> So I've come across this on Qualys and just wondering if there's any
> practical examples out there in the wild.
> I know some BIND guys are on here, so I'm sure I'm missing something from
> the RFCs.
> Just wanted to test this out on my play domains before putting it out in
> the wild...
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: DNS CAA records...

2017-01-17 Thread Royce Williams 
On Tue, Jan 17, 2017 at 3:04 PM, Eric Tykwinski  wrote:
> So I’ve come across this on Qualys and just wondering if there’s any 
> practical examples out there in the wild.
> I know some BIND guys are on here, so I’m sure I’m missing something from the 
> RFCs.
> Just wanted to test this out on my play domains before putting it out in the 
> wild...

As of 2016-12-31, here are CAA records for 143 domains:

https://gist.github.com/roycewilliams/a5b2d26edf3b64ecf77a75f943de079f

That gist contains all CAA (or unparsed/raw type 257) records as seen
in the Rapid7 "DNS ANY" dataset [1] from 2016-12-31.

Interestingly, google.com as noted by Nolan side-thread isn't in this
dataset. Since "DNS ANY" is a superset of all DNS picked up by other
scans, it may be that Rapid7's scanning isn't incidentally catching
many CAA records. An explicit scan for CAA records (against, say, in
all domains seen in DNS ANY) would likely be interesting.

Also, I've requested that cPanel add CAA support to the DNS management
tools. If that would be of use to you, feel free to upvote the feature
[2].

Some good CAA refs are [3],[4],and [5].

Royce

1. https://scans.io/study/sonar.fdns
2. https://features.cpanel.net/topic/add-support-for-caa-dns-records-type-257
3. https://tools.ietf.org/html/rfc6844
4. https://sslmate.com/labs/caa/ (includes info on which CAs support
them; it's early)
5. https://blog.dnsimple.com/2017/01/introducing-caa-records/

Re: DNS CAA records...

2017-01-17 Thread Nolan Berry 
So a quick look into this I see one potential real world example:


;; ANSWER SECTION:
google.com.129INA216.58.218.142
google.com.74411INNSns4.google.com.
google.com.74411INNSns1.google.com.
google.com.74411INNSns2.google.com.
google.com.74411INNSns3.google.com.
google.com.3054INTXT"v=spf1 include:_spf.google.com ~all"
google.com.64IN2607:f8b0:4000:802::200e
google.com.54475INTYPE257\# 19 
0005697373756573796D616E7465632E636F6D


In RFC 6844 section 7.1 it states


"IANA has assigned Resource Record Type 257 for the CAA Resource Record Type"


and I am seeing:


google.com.54475INTYPE257\# 19 
0005697373756573796D616E7465632E636F6D



Nolan Berry

Linux Systems Engineer

DNS Engineering

Rackspace Hosting


From: NANOG <nanog-boun...@nanog.org> on behalf of Eric Tykwinski 
<eric-l...@truenet.com>
Sent: Tuesday, January 17, 2017 6:04:31 PM
To: nanog list
Subject: DNS CAA records...

So I’ve come across this on Qualys and just wondering if there’s any practical 
examples out there in the wild.
I know some BIND guys are on here, so I’m sure I’m missing something from the 
RFCs.
Just wanted to test this out on my play domains before putting it out in the 
wild...

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

DNS CAA records...

2017-01-17 Thread Eric Tykwinski 
So I’ve come across this on Qualys and just wondering if there’s any practical 
examples out there in the wild.
I know some BIND guys are on here, so I’m sure I’m missing something from the 
RFCs.
Just wanted to test this out on my play domains before putting it out in the 
wild...

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300