Or use up-to-date code. CAA support was added in BIND 9.8.8 (already end of lifed), BIND 9.9.6, BIND 9.10.1 and BIND 9.11.0. [rock:~/git/bind9] marka% dig caa google.com ;; BADCOOKIE, retrying. ; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> caa google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42490 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 5f52c5d222feb5c9583cb70c587ee11a8f16c403c5fdbbd5 (good) ;; QUESTION SECTION: ;google.com. IN CAA ;; ANSWER SECTION: google.com. 86400 IN CAA 0 issue "symantec.com" ;; Query time: 192 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jan 18 14:29:30 EST 2017 ;; MSG SIZE rcvd: 98 [rock:~/git/bind9] marka% Anyway this is a good real life example of how you can add new types and have them be looked up without having to update the servers or the clients. "dig TYPE257 google.com" would have also worked. Mark In message <ae662f474afc41b184c821af0e38b5ac@RACKSPACE.COM>, Nolan Berry writes:
So a quick look into this I see one potential real world example:
;; ANSWER SECTION: google.com. 129 IN A 216.58.218.142 google.com. 74411 IN NS ns4.google.com. google.com. 74411 IN NS ns1.google.com. google.com. 74411 IN NS ns2.google.com. google.com. 74411 IN NS ns3.google.com. google.com. 3054 IN TXT "v=spf1 include:_spf.google.com ~all" google.com. 64 IN AAAA 2607:f8b0:4000:802::200e google.com. 54475 IN TYPE257 \# 19 0005697373756573796D616E7465632E636F6D
In RFC 6844 section 7.1 it states
"IANA has assigned Resource Record Type 257 for the CAA Resource Record Type"
and I am seeing:
google.com. 54475 IN TYPE257 \# 19 0005697373756573796D616E7465632E636F6D
Nolan Berry
Linux Systems Engineer
DNS Engineering
Rackspace Hosting
________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Eric Tykwinski <eric-list@truenet.com> Sent: Tuesday, January 17, 2017 6:04:31 PM To: nanog list Subject: DNS CAA records...
So I've come across this on Qualys and just wondering if there's any practical examples out there in the wild. I know some BIND guys are on here, so I'm sure I'm missing something from the RFCs. Just wanted to test this out on my play domains before putting it out in the wild...
Sincerely,
Eric Tykwinski TrueNet, Inc. P: 610-429-8300
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org