[nsd-users] CAA record for domain doesn't show information about subdomains?

Paul Wouters paul at nohats.ca
Sun Apr 29 16:41:51 UTC 2018


On Sun, 29 Apr 2018, Vladimir Lomov wrote:

>  The following example is a DNS zone file (see [RFC1035]) that informs
>  CAs that certificates are not to be issued except by the holder of the
>  domain name 'ca.example.net' or an authorized agent thereof.  This
>  policy applies to all subordinate domains under example.com.
>
> (the last paragraph on page 4), but I didn't find what should DNS return
> on request for subdomain.
>
> I would expect that request about CAA record for subdomain should return
> the same answer as for domain 'vl-lomov.ru' (if something other is not
> set for that particular subdomain it's CAA must be inherited from domain
> setting).

The job of DNS is just to publish records. It has no concept of the
above RFC text. That text applies to clients that check CAA records.
It is up to those implementations to properly check parental zones.

> I tried to check the CAA using dig and drill and both show that only
> vl-lomov.ru domain has CAA answer. Is it expected behaviour?

dig and drill only return DNS records. They are not CAA client
implementations.

Paul



More information about the nsd-users mailing list