DNS Certification Authority Authorization (CAA)
Hi All,
Do you know the Certification Authority Authorization (CAA) DNS Records?
With these Records you can control what CA can issue Certificates for your domain.
DNS Certification Authority Authorization
CAA implementation mandatory for all certificate authorities by September 2017.
RFC 8659 DNS Certification Authority Authorization (CAA) Resource Record
That Record means no CA is allowed to issue Certificates and Wildcard Certifcates for that Domain
domain.tld. IN CAA 0 issue ";"
domain.tld. IN CAA 0 issuewild ";"
Only the specified CA can Issue Certificates and Wildcard Certifcates for that Domain
domain.tld. IN CAA 0 issue "ca.domain.tld"
domain.tld. IN CAA 0 issuewild "ca.domain.tld"
To indicate that certificate authorities should report invalid certificate requests to an email address and a Real-time Inter-network Defense endpoint:
domain.tld. IN CAA 0 iodef "mailto:security@example.com"
domain.tld. IN CAA 0 iodef "http://iodef.example.com/"
domain.tld. IN CAA 0 iodef "http://iodef.example.com/"
How to query CAA DNS Record with PowerShell (DNS over HTTPS)
$Domain = "irgendwoiminternet.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$Domain&type=CAA"
$json
$json.Answer
$json.Answer.Data
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$Domain&type=CAA"
$json
$json.Answer
$json.Answer.Data
I've created a CAA Record in Azure DNS for one of my Domains
Prohibit Issue Certificates for that Domain
I've created a Certificate Request with èosh-ACME to the Let's Encrypt CA. As you can see the Certificate is not issued due to the CAA Record.
Request Let's Encrypt Certificate with PowerShell
Install-Module Posh-ACME
Set-PAServer LE_PROD
New-PAAccount -Contact a.bohren@icewolf.ch -AcceptTOS -KeyLenght 4096
New-PACertificate edge.serveralive.ch -AcceptTOS -Contact "a.bohren@icewolf.ch" -DnsSleep 15
Let's change the CAA Record
The CAA Record now looks like this.
irgendwoiminternet.ch. IN 0 issue "letsencrypt.org"
irgendwoiminternet.ch. IN 0 issuewild ";"
irgendwoiminternet.ch. IN 0 iodef "mailto:postmaster@icewolf.ch"
irgendwoiminternet.ch. IN 0 issuewild ";"
irgendwoiminternet.ch. IN 0 iodef "mailto:postmaster@icewolf.ch"
The only question is where do you get the CAA URL for your CA?
I just googled it:https://letsencrypt.org/docs/caa/
Qquery CAA DNS Record with PowerShell (DNS over HTTPS)
$Domain = "irgendwoiminternet.ch"
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$Domain&type=CAA"
$json
$json.Answer
$json.Answer.Data
$json = Invoke-RestMethod -URI "https://dns.google/resolve?name=$Domain&type=CAA"
$json
$json.Answer
$json.Answer.Data
Now i am able to issue the Certificate from Let's encrypt
New-PACertificate edge.serveralive.ch -AcceptTOS -Contact "a.bohren@icewolf.ch" -DnsSleep 15
The Certificate can be found here
C:\Users\Administrator.CORP\AppData\Local\Posh-ACME\LE_PROD\901745977\demo.irgendwoiminternet.ch
Regards
Andres Bohren
