jd440
April 26, 2018, 3:50am
1
Hi,
Migrate to https, with letsencrypt I got question about CAA
Checking on https://www.ssllabs.com/ssltest/I notice a warning about CAA
But my serving running with bind 9.9.5, caa isn’t support.
So i have the alternative to use TYPE257
But i can’t understand difference between TYPE257 and CAA?
1 Like
rg305
April 26, 2018, 3:57am
2
I don’t think Bind 9.9.5 supports CAA/Type257.
You could upgrade to 9.9.6.
Or just ignore the SSL Labs “warning” as it is not yet a requirement.
In case you do get CAA: https://letsencrypt.org/docs/caa/
EDIT: Apparently Bind 9.9.5 can “support” CAA: https://tools.ietf.org/html/rfc3597
1 Like
jd440
April 26, 2018, 4:05am
3
Bind seems to only supports type257
is there difference between CAA and TYPE257?
rg305
April 26, 2018, 4:26am
4
No.
CAA is type 257.
It shows as type 257 when CAA is not a known/defined type.
1 Like
JoyalV
April 26, 2018, 4:26am
5
https://sslmate.com/caa/
You can generate CAA there
2 Likes
rg305
April 26, 2018, 4:28am
6
When you can’t add it as CAA:
YOUR.com. IN TYPE257 \# 22 000569737375656C657473656E63727970742E6F7267
NOTE: “000569737375656C657473656E63727970742E6F7267” is for LetsEncrypt.org
You should use the generator and add the RFC3597 syntax.
2 Likes
schoen
April 26, 2018, 4:15pm
8
This works because the DNS RR types are numeric (represented as numbers) in the DNS protocol, whereas they're displayed to human beings as textual values that are defined by Internet standards. For example, a query or response related to a host address (A
) record is represented in the conversation between computers as the number 1
. New ones can be added over time, but old software doesn't know aobut them.
The complete current list is
https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4
Maybe someday it will include other new ones that we don't know about yet.
2 Likes
system
Closed
May 26, 2018, 4:23pm
9
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.