[193450] in North American Network Operators' Group
Re: DNS CAA records...
daemon@ATHENA.MIT.EDU (Royce Williams)
Tue Jan 17 20:55:04 2017
X-Original-To: nanog@nanog.org
In-Reply-To: <280728E2-F42B-4058-9120-9C82A5CBA981@truenet.com>
From: Royce Williams <royce@techsolvency.com>
Date: Tue, 17 Jan 2017 16:54:28 -0900
To: Eric Tykwinski <eric-list@truenet.com>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tue, Jan 17, 2017 at 3:04 PM, Eric Tykwinski <eric-list@truenet.com> wro=
te:
> So I=E2=80=99ve come across this on Qualys and just wondering if there=E2=
=80=99s any practical examples out there in the wild.
> I know some BIND guys are on here, so I=E2=80=99m sure I=E2=80=99m missin=
g something from the RFCs.
> Just wanted to test this out on my play domains before putting it out in =
the wild...
As of 2016-12-31, here are CAA records for 143 domains:
https://gist.github.com/roycewilliams/a5b2d26edf3b64ecf77a75f943de079f
That gist contains all CAA (or unparsed/raw type 257) records as seen
in the Rapid7 "DNS ANY" dataset [1] from 2016-12-31.
Interestingly, google.com as noted by Nolan side-thread isn't in this
dataset. Since "DNS ANY" is a superset of all DNS picked up by other
scans, it may be that Rapid7's scanning isn't incidentally catching
many CAA records. An explicit scan for CAA records (against, say, in
all domains seen in DNS ANY) would likely be interesting.
Also, I've requested that cPanel add CAA support to the DNS management
tools. If that would be of use to you, feel free to upvote the feature
[2].
Some good CAA refs are [3],[4],and [5].
Royce
1. https://scans.io/study/sonar.fdns
2. https://features.cpanel.net/topic/add-support-for-caa-dns-records-type-2=
57
3. https://tools.ietf.org/html/rfc6844
4. https://sslmate.com/labs/caa/ (includes info on which CAs support
them; it's early)
5. https://blog.dnsimple.com/2017/01/introducing-caa-records/
