StackExchange/dnscontrol
1
1
Fork 0
mirror of https://github.com/StackExchange/dnscontrol.git synced 2024-11-14 12:15:06 +08:00
Code Issues Projects Releases Packages Wiki Activity
dnscontrol/documentation/functions/domain/CAA_BUILDER.md
llange edf047102b
FEATURE: CAA_BUILDER: add issue_critical and issuewild_critical (#2728) 
Co-authored-by: Tom Limoncelli <tlimoncelli@stackoverflow.com>
2023-12-18 09:35:10 -05:00

3.2 KiB
Raw Blame History

name parameters parameters_object parameter_types
CAA_BUILDER
label
iodef
iodef_critical
issue
issue_critical
issuewild
issuewild_critical
true
label iodef iodef_critical issue issue_critical issuewild issuewild_critical
string? string boolean? string[] boolean? string[] boolean?

DNSControl contains a CAA_BUILDER which can be used to simply create CAA() records for your domains. Instead of creating each CAA() record individually, you can simply configure your report mail address, the authorized certificate authorities and the builder cares about the rest.

Example

Simple example

{% code title="dnsconfig.js" %}

CAA_BUILDER({
  label: "@",
  iodef: "mailto:test@example.com",
  iodef_critical: true,
  issue: [
    "letsencrypt.org",
    "comodoca.com",
  ],
  issuewild: "none",
})

{% endcode %}

CAA_BUILDER() builds multiple records:

{% code title="dnsconfig.js" %}

CAA("@", "iodef", "mailto:test@example.com", CAA_CRITICAL)
CAA("@", "issue", "letsencrypt.org")
CAA("@", "issue", "comodoca.com")
CAA("@", "issuewild", ";")

{% endcode %}

which in turns yield the following records:

@ 300 IN CAA 128 iodef "mailto:test@example.com"
@ 300 IN CAA 0 issue "letsencrypt.org"
@ 300 IN CAA 0 issue "comodoca.com"
@ 300 IN CAA 0 issuewild ";"

Example with CAA_CRITICAL flag on all records

The same example can be enriched with CAA_CRITICAL on all records:

{% code title="dnsconfig.js" %}

CAA_BUILDER({
  label: "@",
  iodef: "mailto:test@example.com",
  iodef_critical: true,
  issue: [
    "letsencrypt.org",
    "comodoca.com",
  ],
  issue_critical: true,
  issuewild: "none",
  issuewild_critical: true,
})

{% endcode %}

CAA_BUILDER() then builds (the same) multiple records - all with CAA_CRITICAL flag set:

{% code title="dnsconfig.js" %}

CAA("@", "iodef", "mailto:test@example.com", CAA_CRITICAL)
CAA("@", "issue", "letsencrypt.org", CAA_CRITICAL)
CAA("@", "issue", "comodoca.com", CAA_CRITICAL)
CAA("@", "issuewild", ";", CAA_CRITICAL)

{% endcode %}

which in turns yield the following records:

@ 300 IN CAA 128 iodef "mailto:test@example.com"
@ 300 IN CAA 128 issue "letsencrypt.org"
@ 300 IN CAA 128 issue "comodoca.com"
@ 300 IN CAA 128 issuewild ";"

Parameters

  • label: The label of the CAA record. (Optional. Default: "@")
  • iodef: Report all violation to configured mail address.
  • iodef_critical: This can be true or false. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: false)
  • issue: An array of CAs which are allowed to issue certificates. (Use "none" to refuse all CAs)
  • issue_critical: This can be true or false. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: false)
  • issuewild: An array of CAs which are allowed to issue wildcard certificates. (Can be simply "none" to refuse issuing wildcard certificates for all CAs)
  • issuewild_critical: This can be true or false. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: false)