[Pdns-users] CAA Records

Steve Atkins steve at blighty.com
Sun Aug 13 18:03:10 UTC 2017 

> On Aug 13, 2017, at 10:40 AM, Curtis Maurand <curtis at maurand.com> wrote:
> 
> Hello,
> I have a ton of websites running letsencrypt.  That's great, I like it, but starting in April they started requiring CAA records.  A new record to be sure and, according to the docs, it is supported.  There is nothing in the docs about how to construct the record.  
> 
> I'm running PDNS 4.04 which I compiled from the sources on Ubuntu 16.04  
> 
> I've tried adding the record directly into the database by sql. head for a caa checker and no dice.
>                      
> I've added the record so far as:  
> 
> deacon.xyonet.com       3600    IN      CAA     0 issue "letsencrypt.org"
> 
> I've entered in this generic way.  There is no documentation that says to format it any differently for pdns.
> 
> I had to change my primary DNS server late last night, should I just wait another day or two for this all to settle down?   I haven't reconciled the dnssec piece, yet.  Just trying to get website going after a not so very smooth migration that's just been trouble all the way.
> 
> The tools that I've found (nslookup, dig, etc) so far don't allow me to query  CAA records.  the pdns-util parser is telling me the record is OK, but at this point, since none of the online tools can look it up, I'm thinking their might be something that I'm doing wrong.
> 
> If anyone has any advice on how to proceed, that would be greatly appreciated.

You can use "dig @23.111.169.69 deacon.xyonet.com type257" if you have a dig too old to know about CAA.

But not having dnssec working is _the_ problem. Your domain is down as far as people using dnssec are concerned. CAA assumes you're using dnssec, so letsencrypts checker and the online tools are going to be seeing servfails as they'll be using dnssec-aware resolvers.

You might find http://dnsviz.net/d/deacon.xyonet.com/analyze/ useful to fix the dnssec problems, then https://unboundtest.com to see what your DNS looks like from a letsencrypt-ish resolver.

Cheers,
  Steve

More information about the Pdns-users mailing list