thr3ads.net - nsd users - [nsd-users] CAA record for domain doesn't show information about subdomains? [Apr 2018]

If this information is useful, please help other people find it:
Share via:

Vladimir Lomov

2018-Apr-29 02:54 UTC

[nsd-users] CAA record for domain doesn't show information about subdomains?

Hello,

I'm using last NSD (4.1.20) and configured CAA record for my domain
(vl-lomov.ru) but it seems that query for CAA of subdomains doesn't
return expected resulst as for the domain vl-lomov.ru.

I checked the RFC (https://tools.ietf.org/html/rfc6844) and found this
statement:

  The following example is a DNS zone file (see [RFC1035]) that informs
  CAs that certificates are not to be issued except by the holder of the
  domain name 'ca.example.net' or an authorized agent thereof.  This
  policy applies to all subordinate domains under example.com.

(the last paragraph on page 4), but I didn't find what should DNS return
on request for subdomain.

I would expect that request about CAA record for subdomain should return
the same answer as for domain 'vl-lomov.ru' (if something other is not
set for that particular subdomain it's CAA must be inherited from domain
setting).

I tried to check the CAA using dig and drill and both show that only
vl-lomov.ru domain has CAA answer. Is it expected behaviour?

-------------------- 8< ---------------------

$ drill node1.vl-lomov.ru CAA | grep -v '^;'

vl-lomov.ru.    1042    IN      SOA     ns1.vl-lomov.ru.  lomovp.yandex.ru.
2018042901 14400 7200 1209600 1800

-------------------- 8< ---------------------

$ drill vl-lomov.ru CAA | grep -v '^;;'

vl-lomov.ru.    37524   IN      CAA     0 issue "cert.vl-lomov.ru"
vl-lomov.ru.    37524   IN      CAA     0 issuewild ";"
vl-lomov.ru.    37524   IN      CAA     0 iodef "mailto:lomov.vl at
yandex.ru"

vl-lomov.ru.    37524   IN      NS      ns1.vl-lomov.ru.
vl-lomov.ru.    37524   IN      NS      ns2.vl-lomov.ru.
vl-lomov.ru.    37524   IN      NS      ns3.vl-lomov.ru.

ns1.vl-lomov.ru.        37524   IN      A       185.185.68.15
ns2.vl-lomov.ru.        37524   IN      A       88.99.227.228
ns3.vl-lomov.ru.        37524   IN      A       217.182.71.250
ns1.vl-lomov.ru.        37524   IN      AAAA    2a0a:2b40::4:140
ns2.vl-lomov.ru.        37524   IN      AAAA    2a01:4f8:c0c:14c9::2
ns3.vl-lomov.ru.        37524   IN      AAAA    2001:41d0:401:3100::36f3

-------------------- 8< ---------------------

$ dig node1.vl-lomov.ru CAA | grep -v '^;'

vl-lomov.ru.            1800    IN      SOA     ns1.vl-lomov.ru. 
lomovp.yandex.ru. 2018042901 14400 7200 1209600 1800

-------------------- 8< ---------------------

$ dig vl-lomov.ru CAA | grep -v '^;'

vl-lomov.ru.            43200   IN      CAA     0 issue
"cert.vl-lomov.ru"
vl-lomov.ru.            43200   IN      CAA     0 issuewild "\;"
vl-lomov.ru.            43200   IN      CAA     0 iodef "mailto:lomov.vl at
yandex.ru"

-------------------- 8< ---------------------

Thanks for advance,
Vladimir Lomov

-- 
The bomb will never go off.  I speak as an expert in explosives.
		-- Admiral William Leahy, U.S. Atomic Bomb Project

Ask Bjørn Hansen

2018-Apr-29 03:47 UTC

head link

[nsd-users] CAA record for domain doesn't show information about subdomains?

> On Apr 28, 2018, at 19:54, Vladimir Lomov <lomov.vl at yandex.ru>
wrote:
> 
> I tried to check the CAA using dig and drill and both show that only
> vl-lomov.ru domain has CAA answer. Is it expected behaviour?
Yes. The specification you quoted is referring to how the CA will query for the
CAA record, not how it is served.


Ask

-- 
http://askask.com/

Paul Wouters

2018-Apr-29 16:41 UTC

head link

[nsd-users] CAA record for domain doesn't show information about subdomains?

On Sun, 29 Apr 2018, Vladimir Lomov wrote:
>  The following example is a DNS zone file (see [RFC1035]) that informs
>  CAs that certificates are not to be issued except by the holder of the
>  domain name 'ca.example.net' or an authorized agent thereof.  This
>  policy applies to all subordinate domains under example.com.
>
> (the last paragraph on page 4), but I didn't find what should DNS
return
> on request for subdomain.
>
> I would expect that request about CAA record for subdomain should return
> the same answer as for domain 'vl-lomov.ru' (if something other is
not
> set for that particular subdomain it's CAA must be inherited from
domain
> setting).
The job of DNS is just to publish records. It has no concept of the
above RFC text. That text applies to clients that check CAA records.
It is up to those implementations to properly check parental zones.
> I tried to check the CAA using dig and drill and both show that only
> vl-lomov.ru domain has CAA answer. Is it expected behaviour?
dig and drill only return DNS records. They are not CAA client
implementations.

Paul

nsd users - Apr 2018 - CAA record for domain doesn't show information about subdomains?

[nsd-users] CAA record for domain doesn't show information about subdomains?

[nsd-users] CAA record for domain doesn't show information about subdomains?

[nsd-users] CAA record for domain doesn't show information about subdomains?