Add CAA/type257


#1

Hi,

Migrate to https, with letsencrypt I got question about CAA

Checking on https://www.ssllabs.com/ssltest/I notice a warning about CAA
But my serving running with bind 9.9.5, caa isn’t support.

So i have the alternative to use TYPE257
But i can’t understand difference between TYPE257 and CAA?


#2

I don’t think Bind 9.9.5 supports CAA/Type257.
You could upgrade to 9.9.6.
Or just ignore the SSL Labs “warning” as it is not yet a requirement.

In case you do get CAA: https://letsencrypt.org/docs/caa/

EDIT: Apparently Bind 9.9.5 can “support” CAA: https://tools.ietf.org/html/rfc3597


#3

Bind seems to only supports type257
is there difference between CAA and TYPE257?


#4

No.
CAA is type 257.
It shows as type 257 when CAA is not a known/defined type.


#5

https://sslmate.com/caa/

You can generate CAA there


#6

When you can’t add it as CAA:
YOUR.com. IN TYPE257 \# 22 000569737375656C657473656E63727970742E6F7267

NOTE: “000569737375656C657473656E63727970742E6F7267” is for LetsEncrypt.org
You should use the generator and add the RFC3597 syntax.


#7

Thanks,
I will try it


#8

This works because the DNS RR types are numeric (represented as numbers) in the DNS protocol, whereas they’re displayed to human beings as textual values that are defined by Internet standards. For example, a query or response related to a host address (A) record is represented in the conversation between computers as the number 1. New ones can be added over time, but old software doesn’t know aobut them.

The complete current list is

https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4

Maybe someday it will include other new ones that we don’t know about yet. :slight_smile:


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.