In the advanced zone editor the posibility to add a caa record
Add support for CAA DNS records (type 257)
Completed
As a server administrator I would like cPanel to provide support for CAA DNS records, to increase server security by defining which certificate authorities are authorized to issue certificates for my domain.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
This is now public, and available in v66 in the CURRENT tier! Get a quick overview of all the improvements on the version 66 Release Site. If you have questions, feel free to join me for the next hour or so in this public hipchat room:
https://www.hipchat.com/gQ7xUUD7i
This is now public, and available in v66 in the CURRENT tier! Get a quick overview of all the improvements on the version 66 Release Site. If you have questions, feel free to join me for the next hour or so in this public hipchat room:
https://www.hipchat.com/gQ7xUUD7i
Thanks for the suggestion! Currently, it looks like those records are only supported in PowerDNS 4.0+ and Bind 9.9.6:
https://doc.powerdns.com/md/types/#caa
ftp://ftp.isc.org/isc/bind/9.9.6/RELEASE-NOTES-BIND-9.9.6.txt
For Bind, we use the OS-provided version and CentOS 7 only ships with Bind 9.9.4. We currently ship PowerDNS 3.4. While upgrading the version of PowerDNS that we ship is an option, it's not one we've considered yet, and it's unknown how much development resources would be needed. At the very minimum it's non-trivial. Currently we don't see getting to this for a while, but as soon as we do we'll make sure to keep this in mind!
Thanks for the suggestion! Currently, it looks like those records are only supported in PowerDNS 4.0+ and Bind 9.9.6:
https://doc.powerdns.com/md/types/#caa
ftp://ftp.isc.org/isc/bind/9.9.6/RELEASE-NOTES-BIND-9.9.6.txt
For Bind, we use the OS-provided version and CentOS 7 only ships with Bind 9.9.4. We currently ship PowerDNS 3.4. While upgrading the version of PowerDNS that we ship is an option, it's not one we've considered yet, and it's unknown how much development resources would be needed. At the very minimum it's non-trivial. Currently we don't see getting to this for a while, but as soon as we do we'll make sure to keep this in mind!
Benny, thanks! It's a good marker for an eventual future add.
That being said, it may be possible sooner. You can add arbitrary record types to BIND and NSD, using RFC 3597 syntax:
example.com.TYPE257\# 8 000569737375653B
And really, it would be a pretty great add, and allow early adopters to do all sorts of things quickly without feature requests, by adding support in the UI for adding custom DNS records types by number. That seems like a separate feature request to me; I will make that.
Part of my motivation is that the latest version of the Qualys SSL Labs Server test now checks for the existence of CAA records:
https://blog.qualys.com/ssllabs/2017/01/13/whats-new-ssl-labs-1-26-5
Note also that it's definitely a work in progress at the CA end of support. People can track progress here, and also learn about CAA generally:
https://sslmate.com/labs/caa/
Thanks again!
Benny, thanks! It's a good marker for an eventual future add.
That being said, it may be possible sooner. You can add arbitrary record types to BIND and NSD, using RFC 3597 syntax:
example.com.TYPE257\# 8 000569737375653B
And really, it would be a pretty great add, and allow early adopters to do all sorts of things quickly without feature requests, by adding support in the UI for adding custom DNS records types by number. That seems like a separate feature request to me; I will make that.
Part of my motivation is that the latest version of the Qualys SSL Labs Server test now checks for the existence of CAA records:
https://blog.qualys.com/ssllabs/2017/01/13/whats-new-ssl-labs-1-26-5
Note also that it's definitely a work in progress at the CA end of support. People can track progress here, and also learn about CAA generally:
https://sslmate.com/labs/caa/
Thanks again!
This could be a feature that is only available with PowerDNS, as it already happens with DNSSEC.
I, like Royce, am very interested since Qualys now tests for a CAA record on the SSL test.
This could be a feature that is only available with PowerDNS, as it already happens with DNSSEC.
I, like Royce, am very interested since Qualys now tests for a CAA record on the SSL test.
Excellent idea. Would it be possible for BIND?
Excellent idea. Would it be possible for BIND?
I really hope you guys are working on this. The future of the web is HTTPS and a very important next step that is missing from Cpanel's side at the moment is CAA records.
I really hope you guys are working on this. The future of the web is HTTPS and a very important next step that is missing from Cpanel's side at the moment is CAA records.
The CA/Browser Forum has announced that CAA records will be mandated by September 2017.
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
The CA/Browser Forum has announced that CAA records will be mandated by September 2017.
https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
So this is becoming of high importance to implement, especially since we have AutoSSL and more and more websites with CPanel are now using Comodo and Let's Encrypts certs.
So this is becoming of high importance to implement, especially since we have AutoSSL and more and more websites with CPanel are now using Comodo and Let's Encrypts certs.
Hey all! I just wanted to say that we saw the news, but haven't finalized anything internally yet. I'll be back with an update as soon as I have one.
Hey all! I just wanted to say that we saw the news, but haven't finalized anything internally yet. I'll be back with an update as soon as I have one.
For older PowerDNS and Bind versions you can specify unknown DNS record types accordingly to RFC 3597
For older PowerDNS and Bind versions you can specify unknown DNS record types accordingly to RFC 3597
Come on guys and dolls, this may well be mandatory by September 2017
Come on guys and dolls, this may well be mandatory by September 2017
Just a quick update and clarification: one of our feature teams will hopefully be evaluating getting CAA records added to the Zone Editor soon.
Just to clarify one point, to make sure everyone's on the same page: the CAA entries being in the zone files will not be mandatory in September, but CAs checking and verifying any CAA zone entries may be required.
I'll update again as soon as there are any further developments!
Just a quick update and clarification: one of our feature teams will hopefully be evaluating getting CAA records added to the Zone Editor soon.
Just to clarify one point, to make sure everyone's on the same page: the CAA entries being in the zone files will not be mandatory in September, but CAs checking and verifying any CAA zone entries may be required.
I'll update again as soon as there are any further developments!
One of our feature teams has been working on getting this added to the Zone Editor. It's currently aimed for version 68, since we have already completed feature development for version 66. Our goal is to backport the updates to version 66, allowing users to have this as part of the zone editor before the mandatory verification of any existing CAA records comes into play. There are many potential technical limitations to that, however, so I can't make any promises at this time. If you have questions, feel free to let me know!
One of our feature teams has been working on getting this added to the Zone Editor. It's currently aimed for version 68, since we have already completed feature development for version 66. Our goal is to backport the updates to version 66, allowing users to have this as part of the zone editor before the mandatory verification of any existing CAA records comes into play. There are many potential technical limitations to that, however, so I can't make any promises at this time. If you have questions, feel free to let me know!
Good news everyone! We were able to get support for CAA records added to version 66, and you can test that support as of version 66.0.4, which is now in the EDGE tier:
Implemented case CPANEL-14598: Update the addzonerecord and editzonerecord WHM API calls to support CAA records.
Implemented case CPANEL-14598: Update the "Zone Editor" cPanel interface to support CAA records.
Implemented case CPANEL-14598: Update the "Edit DNS Zone" WHM interface to support CAA records.
Implemented case CPANEL-14598: Avoid using 'xml-api' when configuring NS records in WHM.
Implemented case CPANEL-14598: Update the DNS Zone parser to understand CAA records.
We're hoping to release version 66 to the CURRENT tier the week of July 24th. If you have questions in the meantime, let me know!
Good news everyone! We were able to get support for CAA records added to version 66, and you can test that support as of version 66.0.4, which is now in the EDGE tier:
Implemented case CPANEL-14598: Update the addzonerecord and editzonerecord WHM API calls to support CAA records.
Implemented case CPANEL-14598: Update the "Zone Editor" cPanel interface to support CAA records.
Implemented case CPANEL-14598: Update the "Edit DNS Zone" WHM interface to support CAA records.
Implemented case CPANEL-14598: Avoid using 'xml-api' when configuring NS records in WHM.
Implemented case CPANEL-14598: Update the DNS Zone parser to understand CAA records.
We're hoping to release version 66 to the CURRENT tier the week of July 24th. If you have questions in the meantime, let me know!
This is now public, and available in v66 in the CURRENT tier! Get a quick overview of all the improvements on the version 66 Release Site. If you have questions, feel free to join me for the next hour or so in this public hipchat room:
https://www.hipchat.com/gQ7xUUD7i
This is now public, and available in v66 in the CURRENT tier! Get a quick overview of all the improvements on the version 66 Release Site. If you have questions, feel free to join me for the next hour or so in this public hipchat room:
https://www.hipchat.com/gQ7xUUD7i
Replies have been locked on this page!