Re: DNS CAA records...
Or use up-to-date code. CAA support was added in BIND 9.8.8 (already end of lifed), BIND 9.9.6, BIND 9.10.1 and BIND 9.11.0. [rock:~/git/bind9] marka% dig caa google.com ;; BADCOOKIE, retrying. ; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> caa google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42490 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 5f52c5d222feb5c9583cb70c587ee11a8f16c403c5fdbbd5 (good) ;; QUESTION SECTION: ;google.com.IN CAA ;; ANSWER SECTION: google.com. 86400 IN CAA 0 issue "symantec.com" ;; Query time: 192 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jan 18 14:29:30 EST 2017 ;; MSG SIZE rcvd: 98 [rock:~/git/bind9] marka% Anyway this is a good real life example of how you can add new types and have them be looked up without having to update the servers or the clients. "dig TYPE257 google.com" would have also worked. Mark In message <ae662f474afc41b184c821af0e38b...@rackspace.com>, Nolan Berry writes: > So a quick look into this I see one potential real world example: > > > ;; ANSWER SECTION: > google.com.129INA216.58.218.142 > google.com.74411INNSns4.google.com. > google.com.74411INNSns1.google.com. > google.com.74411INNSns2.google.com. > google.com.74411INNSns3.google.com. > google.com.3054INTXT"v=spf1 include:_spf.google.com > ~all" > google.com.64IN2607:f8b0:4000:802::200e > google.com.54475INTYPE257\# 19 > 0005697373756573796D616E7465632E636F6D > > > In RFC 6844 section 7.1 it states > > > "IANA has assigned Resource Record Type 257 for the CAA Resource Record > Type" > > > and I am seeing: > > > google.com.54475INTYPE257\# 19 > 0005697373756573796D616E7465632E636F6D > > > > Nolan Berry > > Linux Systems Engineer > > DNS Engineering > > Rackspace Hosting > > ____________ > From: NANOG <nanog-boun...@nanog.org> on behalf of Eric Tykwinski > <eric-l...@truenet.com> > Sent: Tuesday, January 17, 2017 6:04:31 PM > To: nanog list > Subject: DNS CAA records... > > So I've come across this on Qualys and just wondering if there's any > practical examples out there in the wild. > I know some BIND guys are on here, so I'm sure I'm missing something from > the RFCs. > Just wanted to test this out on my play domains before putting it out in > the wild... > > Sincerely, > > Eric Tykwinski > TrueNet, Inc. > P: 610-429-8300 > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: DNS CAA records...
On Tue, Jan 17, 2017 at 3:04 PM, Eric Tykwinskiwrote: > So I’ve come across this on Qualys and just wondering if there’s any > practical examples out there in the wild. > I know some BIND guys are on here, so I’m sure I’m missing something from the > RFCs. > Just wanted to test this out on my play domains before putting it out in the > wild... As of 2016-12-31, here are CAA records for 143 domains: https://gist.github.com/roycewilliams/a5b2d26edf3b64ecf77a75f943de079f That gist contains all CAA (or unparsed/raw type 257) records as seen in the Rapid7 "DNS ANY" dataset [1] from 2016-12-31. Interestingly, google.com as noted by Nolan side-thread isn't in this dataset. Since "DNS ANY" is a superset of all DNS picked up by other scans, it may be that Rapid7's scanning isn't incidentally catching many CAA records. An explicit scan for CAA records (against, say, in all domains seen in DNS ANY) would likely be interesting. Also, I've requested that cPanel add CAA support to the DNS management tools. If that would be of use to you, feel free to upvote the feature [2]. Some good CAA refs are [3],[4],and [5]. Royce 1. https://scans.io/study/sonar.fdns 2. https://features.cpanel.net/topic/add-support-for-caa-dns-records-type-257 3. https://tools.ietf.org/html/rfc6844 4. https://sslmate.com/labs/caa/ (includes info on which CAs support them; it's early) 5. https://blog.dnsimple.com/2017/01/introducing-caa-records/
Re: DNS CAA records...
So a quick look into this I see one potential real world example: ;; ANSWER SECTION: google.com.129INA216.58.218.142 google.com.74411INNSns4.google.com. google.com.74411INNSns1.google.com. google.com.74411INNSns2.google.com. google.com.74411INNSns3.google.com. google.com.3054INTXT"v=spf1 include:_spf.google.com ~all" google.com.64IN2607:f8b0:4000:802::200e google.com.54475INTYPE257\# 19 0005697373756573796D616E7465632E636F6D In RFC 6844 section 7.1 it states "IANA has assigned Resource Record Type 257 for the CAA Resource Record Type" and I am seeing: google.com.54475INTYPE257\# 19 0005697373756573796D616E7465632E636F6D Nolan Berry Linux Systems Engineer DNS Engineering Rackspace Hosting From: NANOG <nanog-boun...@nanog.org> on behalf of Eric Tykwinski <eric-l...@truenet.com> Sent: Tuesday, January 17, 2017 6:04:31 PM To: nanog list Subject: DNS CAA records... So I’ve come across this on Qualys and just wondering if there’s any practical examples out there in the wild. I know some BIND guys are on here, so I’m sure I’m missing something from the RFCs. Just wanted to test this out on my play domains before putting it out in the wild... Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300
DNS CAA records...
So I’ve come across this on Qualys and just wondering if there’s any practical examples out there in the wild. I know some BIND guys are on here, so I’m sure I’m missing something from the RFCs. Just wanted to test this out on my play domains before putting it out in the wild... Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300