[nsd-users] CAA record for domain doesn't show information about subdomains?

Sun Apr 29 02:54:56 UTC 2018

Hello,

I'm using last NSD (4.1.20) and configured CAA record for my domain
(vl-lomov.ru) but it seems that query for CAA of subdomains doesn't
return expected resulst as for the domain vl-lomov.ru.

I checked the RFC (https://tools.ietf.org/html/rfc6844) and found this
statement:

  The following example is a DNS zone file (see [RFC1035]) that informs
  CAs that certificates are not to be issued except by the holder of the
  domain name 'ca.example.net' or an authorized agent thereof.  This
  policy applies to all subordinate domains under example.com.

(the last paragraph on page 4), but I didn't find what should DNS return
on request for subdomain.

I would expect that request about CAA record for subdomain should return
the same answer as for domain 'vl-lomov.ru' (if something other is not
set for that particular subdomain it's CAA must be inherited from domain
setting).

I tried to check the CAA using dig and drill and both show that only
vl-lomov.ru domain has CAA answer. Is it expected behaviour?

-------------------- 8< ---------------------

$ drill node1.vl-lomov.ru CAA | grep -v '^;'

vl-lomov.ru.    1042    IN      SOA     ns1.vl-lomov.ru.  lomovp.yandex.ru. 2018042901 14400 7200 1209600 1800

-------------------- 8< ---------------------

$ drill vl-lomov.ru CAA | grep -v '^;;'

vl-lomov.ru.    37524   IN      CAA     0 issue "cert.vl-lomov.ru"
vl-lomov.ru.    37524   IN      CAA     0 issuewild ";"
vl-lomov.ru.    37524   IN      CAA     0 iodef "mailto:lomov.vl at yandex.ru"

vl-lomov.ru.    37524   IN      NS      ns1.vl-lomov.ru.
vl-lomov.ru.    37524   IN      NS      ns2.vl-lomov.ru.
vl-lomov.ru.    37524   IN      NS      ns3.vl-lomov.ru.

ns1.vl-lomov.ru.        37524   IN      A       185.185.68.15
ns2.vl-lomov.ru.        37524   IN      A       88.99.227.228
ns3.vl-lomov.ru.        37524   IN      A       217.182.71.250
ns1.vl-lomov.ru.        37524   IN      AAAA    2a0a:2b40::4:140
ns2.vl-lomov.ru.        37524   IN      AAAA    2a01:4f8:c0c:14c9::2
ns3.vl-lomov.ru.        37524   IN      AAAA    2001:41d0:401:3100::36f3

-------------------- 8< ---------------------

$ dig node1.vl-lomov.ru CAA | grep -v '^;'

vl-lomov.ru.            1800    IN      SOA     ns1.vl-lomov.ru.  lomovp.yandex.ru. 2018042901 14400 7200 1209600 1800

-------------------- 8< ---------------------

$ dig vl-lomov.ru CAA | grep -v '^;'

vl-lomov.ru.            43200   IN      CAA     0 issue "cert.vl-lomov.ru"
vl-lomov.ru.            43200   IN      CAA     0 issuewild "\;"
vl-lomov.ru.            43200   IN      CAA     0 iodef "mailto:lomov.vl at yandex.ru"

-------------------- 8< ---------------------

Thanks for advance,
Vladimir Lomov

-- 
The bomb will never go off.  I speak as an expert in explosives.
		-- Admiral William Leahy, U.S. Atomic Bomb Project