Additional DNS record (RR) types (specifically CERT, OPENPGP, SMIMEA, TLSA and URI)

As a System Administrator, I would like additional DNS record RR types to be added to the WHM/Cpanel interfaces so that new records can be added for additional functionality.

At the moment, it is not possible to add the following DNS record types (I haven't checked all of them, just the ones I'm interested in):

CERT

• Record type 37
• Defined in: RFC 4398 'Proposed Standard'
• Purpose: Allows certificates to be published (including PGP, X.509/S/MIME and IPSec). Has 4 fields (type, key tag, algorithm, certificate).
• Example:

  myname.example.com IN CERT PGP 0 0 mDMEYo0B+RYJ....

• Listed by Cpanel/Net/DNS/ZoneFile/LDNS: Yes
• Listed by Cpanel/ZoneFile: No
• Entry in: 3rdparty...Net/RR: Yes

OPENPGPKEY

• Record type 61,
• Defined in: RFC 7929 'Experimental'
• Purpose: Allows OpenPGP keys to be published. (See also Weberblog.net). Suggested for use for .well-known/security.txt in RFC9116.
• Example:

  39[..]d6._openpgpkey.example.com. IN OPENPGPKEY 1d4b....

• Listed by Cpanel/Net/DNS/ZoneFile/LDNS: Yes
• Listed by Cpanel/ZoneFile: No
• Entry in: 3rdparty...Net/RR: Yes

SMIMEA

• Record type 53
• Defined in: RFC 8162 'Experimental'
• Purpose: Associates an S/MIME certificate with a domain name
• Example:

  39[..]d6._smimecert.example.com. IN SMIMEA 1d4b....

• Listed by Cpanel/Net/DNS/ZoneFile/LDNS: Yes
• Listed by Cpanel/ZoneFile: No
• Entry in: 3rdparty...Net/RR: Yes

Both OPENGPGKEY and SMIMEA:

These are similar in that the DNS label is the user's email address in UTF-8 format, in a SHA-256 hash and truncated to 28 octets - followed by either "_openpgp.[domain." or "_smimecert.[domain]". The value of the record is the base64 encoded public key/certificate. However, if cPanel/WHM just allowed users/admins to enter "arbitrary text" as the label and value, this would "do for now".

TLSA

• Record type 52
• Defined in: RFC 6698 'Proposed Standard'
• Purpose: Allows TLS server certificates to be associated with a domain. Configuration is similar to that of CAA/cert records (see Wikipedia's TLSA RR entry vs CA RR entry) in that it has 4 fields (certificate usage [0 to 3], selector [0 or 1], matching type [0 to 2] and certificate association data [raw data or hash]).
• Example:

 _443._tcp.www.example.com. IN TLSA ( 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e971 )

• Listed by Cpanel/Net/DNS/ZoneFile/LDNS: Yes
• Listed by Cpanel/ZoneFile: No
• Entry in: 3rdparty...Net/RR: Yes

URI

• Record type 256,
• Defined in: RFC 7553 'Informational'
• Purpose: Allows mappings from hostnames to URIs. Similar to SRV record types (Wikipedia's URI RR entry vs CAA RR entry) in that it has 3 fields (priority, weight and target).
• Example:

_ftp._tcp IN URI 10 1 "ftp://ftp1.example.com/public"

• Listed by Cpanel/Net/DNS/ZoneFile/LDNS: Yes
• Listed by Cpanel/ZoneFile: No
• Entry in: 3rdparty...Net/RR: Yes

Additional:

Ideally access to these should be controlled by "Feature Manager" although I cannot see any major problems with them being accessible to cPanel users who have zone editing rights by default (possibly an incorrect TLSA may block their email or similar, but that's just about the highest risk factor I can see).

See also:

* Feature request: Asking for PTR records to be available.

* Feature request: Allow new DNS record types by number

* Feature request: Add support for CAA DNS records (type 257) - added in v66