[nsd-users] CAA record for domain doesn't show information about subdomains?

Vladimir Lomov lomov.vl at yandex.ru
Sun Apr 29 23:59:08 UTC 2018

** Paul Wouters [2018-04-29 12:41:51 -0400]:

> On Sun, 29 Apr 2018, Vladimir Lomov wrote:
>>  The following example is a DNS zone file (see [RFC1035]) that informs
>>  CAs that certificates are not to be issued except by the holder of the
>>  domain name 'ca.example.net' or an authorized agent thereof.  This
>>  policy applies to all subordinate domains under example.com.
>> (the last paragraph on page 4), but I didn't find what should DNS return
>> on request for subdomain.
>> I would expect that request about CAA record for subdomain should return
>> the same answer as for domain 'vl-lomov.ru' (if something other is not
>> set for that particular subdomain it's CAA must be inherited from domain
>> setting).
> The job of DNS is just to publish records. It has no concept of the
> above RFC text. That text applies to clients that check CAA records.
> It is up to those implementations to properly check parental zones.
>> I tried to check the CAA using dig and drill and both show that only
>> vl-lomov.ru domain has CAA answer. Is it expected behaviour?
> dig and drill only return DNS records. They are not CAA client
> implementations.
> Paul

Thank you for clarification.

@Ask: thank you too, now it is more clear to me how CAA works.

WBR, Vladimir Lomov

Some people have told me they don't think a fat penguin really embodies the
grace of Linux, which just tells me they have never seen a angry penguin
charging at them in excess of 100mph.  They'd be a lot more careful about what
they say if they had.
	-- Linus Torvalds, announcing Linux v2.0

More information about the nsd-users mailing list