[nsd-users] CAA record for domain doesn't show information about subdomains?
Vladimir Lomov
lomov.vl at yandex.ru
Sun Apr 29 23:59:08 UTC 2018
Hello,
** Paul Wouters [2018-04-29 12:41:51 -0400]:
> On Sun, 29 Apr 2018, Vladimir Lomov wrote:
>
>> The following example is a DNS zone file (see [RFC1035]) that informs
>> CAs that certificates are not to be issued except by the holder of the
>> domain name 'ca.example.net' or an authorized agent thereof. This
>> policy applies to all subordinate domains under example.com.
>>
>> (the last paragraph on page 4), but I didn't find what should DNS return
>> on request for subdomain.
>>
>> I would expect that request about CAA record for subdomain should return
>> the same answer as for domain 'vl-lomov.ru' (if something other is not
>> set for that particular subdomain it's CAA must be inherited from domain
>> setting).
>
> The job of DNS is just to publish records. It has no concept of the
> above RFC text. That text applies to clients that check CAA records.
> It is up to those implementations to properly check parental zones.
>
>> I tried to check the CAA using dig and drill and both show that only
>> vl-lomov.ru domain has CAA answer. Is it expected behaviour?
>
> dig and drill only return DNS records. They are not CAA client
> implementations.
>
> Paul
Thank you for clarification.
@Ask: thank you too, now it is more clear to me how CAA works.
---
WBR, Vladimir Lomov
--
Some people have told me they don't think a fat penguin really embodies the
grace of Linux, which just tells me they have never seen a angry penguin
charging at them in excess of 100mph. They'd be a lot more careful about what
they say if they had.
-- Linus Torvalds, announcing Linux v2.0
More information about the nsd-users
mailing list