bind supports CAA

Discussion in 'ISPConfig 3 Priority Support' started by ganewbie, Sep 6, 2017.

  1. ganewbie

    ganewbie Member HowtoForge Supporter

    Hello,
    Soon (September 7, 2017) we will be required to issue a CAA records.
    https://sslmate.com/caa/
    bind supports it, is there a way to do that from our ISPConfig3 panel?
    Thanks,
     
  2. HSorgYves

    HSorgYves Member HowtoForge Supporter

    Required? No, we will be allowed to issue CAA records...
     
    ganewbie likes this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    CAA records are available in ISPConfig master branch in GIT (the branch that will become ISPConfig 3.2).

    And as @HSorgYves pointed out, you may start to use CAA now but it is not required. At last when I understand the page that yu posted correctly.
     
    ganewbie likes this.
  4. sjau

    sjau Local Meanie Moderator

    Just saw a Heise article in which they say that CA must respect CAA if available in the zone starting from today. It also links to the according ballot: https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/

    "Effective as of 8 September 2017, section 4.2 of a CA’s Certificate Policy and/or Certification Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state the CA’s policy or practice on processing CAA Records for Fully Qualified Domain Names; that policy shall be consistent with these Requirements. It shall clearly specify the set of Issuer Domain Names that the CA recognises in CAA “issue” or “issuewild” records as permitting it to issue. The CA SHALL log all actions taken, if any, consistent with its processing practice. Add the following text to the appropriate place in section 1.6.3 (“References”):"

    For you as domain owner nothing changes. You can add a CAA record to your zone file. However if you (or someone else) tries to request a SSL cert for your domain, then the CA must check if a CAA record is in the DNS file and if so, if that CA is allowed to issue a cert for that domain.
     

Share This Page