So I’ve come across this on Qualys and just wondering if there’s any practical examples out there in the wild. I know some BIND guys are on here, so I’m sure I’m missing something from the RFCs. Just wanted to test this out on my play domains before putting it out in the wild... Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300
So a quick look into this I see one potential real world example: ;; ANSWER SECTION: google.com. 129 IN A 216.58.218.142 google.com. 74411 IN NS ns4.google.com. google.com. 74411 IN NS ns1.google.com. google.com. 74411 IN NS ns2.google.com. google.com. 74411 IN NS ns3.google.com. google.com. 3054 IN TXT "v=spf1 include:_spf.google.com ~all" google.com. 64 IN AAAA 2607:f8b0:4000:802::200e google.com. 54475 IN TYPE257 \# 19 0005697373756573796D616E7465632E636F6D In RFC 6844 section 7.1 it states "IANA has assigned Resource Record Type 257 for the CAA Resource Record Type" and I am seeing: google.com. 54475 IN TYPE257 \# 19 0005697373756573796D616E7465632E636F6D Nolan Berry Linux Systems Engineer DNS Engineering Rackspace Hosting ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Eric Tykwinski <eric-list@truenet.com> Sent: Tuesday, January 17, 2017 6:04:31 PM To: nanog list Subject: DNS CAA records... So I’ve come across this on Qualys and just wondering if there’s any practical examples out there in the wild. I know some BIND guys are on here, so I’m sure I’m missing something from the RFCs. Just wanted to test this out on my play domains before putting it out in the wild... Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300
Or use up-to-date code. CAA support was added in BIND 9.8.8 (already end of lifed), BIND 9.9.6, BIND 9.10.1 and BIND 9.11.0. [rock:~/git/bind9] marka% dig caa google.com ;; BADCOOKIE, retrying. ; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> caa google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42490 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 5f52c5d222feb5c9583cb70c587ee11a8f16c403c5fdbbd5 (good) ;; QUESTION SECTION: ;google.com. IN CAA ;; ANSWER SECTION: google.com. 86400 IN CAA 0 issue "symantec.com" ;; Query time: 192 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jan 18 14:29:30 EST 2017 ;; MSG SIZE rcvd: 98 [rock:~/git/bind9] marka% Anyway this is a good real life example of how you can add new types and have them be looked up without having to update the servers or the clients. "dig TYPE257 google.com" would have also worked. Mark In message <ae662f474afc41b184c821af0e38b5ac@RACKSPACE.COM>, Nolan Berry writes:
So a quick look into this I see one potential real world example:
;; ANSWER SECTION: google.com. 129 IN A 216.58.218.142 google.com. 74411 IN NS ns4.google.com. google.com. 74411 IN NS ns1.google.com. google.com. 74411 IN NS ns2.google.com. google.com. 74411 IN NS ns3.google.com. google.com. 3054 IN TXT "v=spf1 include:_spf.google.com ~all" google.com. 64 IN AAAA 2607:f8b0:4000:802::200e google.com. 54475 IN TYPE257 \# 19 0005697373756573796D616E7465632E636F6D
In RFC 6844 section 7.1 it states
"IANA has assigned Resource Record Type 257 for the CAA Resource Record Type"
and I am seeing:
google.com. 54475 IN TYPE257 \# 19 0005697373756573796D616E7465632E636F6D
Nolan Berry
Linux Systems Engineer
DNS Engineering
Rackspace Hosting
________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Eric Tykwinski <eric-list@truenet.com> Sent: Tuesday, January 17, 2017 6:04:31 PM To: nanog list Subject: DNS CAA records...
So I've come across this on Qualys and just wondering if there's any practical examples out there in the wild. I know some BIND guys are on here, so I'm sure I'm missing something from the RFCs. Just wanted to test this out on my play domains before putting it out in the wild...
Sincerely,
Eric Tykwinski TrueNet, Inc. P: 610-429-8300
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
On Tue, Jan 17, 2017 at 3:04 PM, Eric Tykwinski <eric-list@truenet.com> wrote:
So I’ve come across this on Qualys and just wondering if there’s any practical examples out there in the wild. I know some BIND guys are on here, so I’m sure I’m missing something from the RFCs. Just wanted to test this out on my play domains before putting it out in the wild...
As of 2016-12-31, here are CAA records for 143 domains: https://gist.github.com/roycewilliams/a5b2d26edf3b64ecf77a75f943de079f That gist contains all CAA (or unparsed/raw type 257) records as seen in the Rapid7 "DNS ANY" dataset [1] from 2016-12-31. Interestingly, google.com as noted by Nolan side-thread isn't in this dataset. Since "DNS ANY" is a superset of all DNS picked up by other scans, it may be that Rapid7's scanning isn't incidentally catching many CAA records. An explicit scan for CAA records (against, say, in all domains seen in DNS ANY) would likely be interesting. Also, I've requested that cPanel add CAA support to the DNS management tools. If that would be of use to you, feel free to upvote the feature [2]. Some good CAA refs are [3],[4],and [5]. Royce 1. https://scans.io/study/sonar.fdns 2. https://features.cpanel.net/topic/add-support-for-caa-dns-records-type-257 3. https://tools.ietf.org/html/rfc6844 4. https://sslmate.com/labs/caa/ (includes info on which CAs support them; it's early) 5. https://blog.dnsimple.com/2017/01/introducing-caa-records/
On Tue, Jan 17, 2017 at 4:54 PM, Royce Williams <royce@techsolvency.com> wrote: [snip of CAA-record intro stuff]
An explicit scan for CAA records (against, say, in all domains seen in DNS ANY) would likely be interesting.
Out of curiosity, I used zscan/zdns [1] to scan the OpenDNS top 1 million domains [2] for CAA records. Only 37 popped up: appspot-preview.com appspot.com centos.org comodo.com compricer.se csswg.org dnsimple.com ekom21.de entrust.net fu-berlin.de google.com googleusercontent.com hr.nl hro.nl instantssl.com intra.net magticom.ge mail.de minuporno.com mobileread.com monash.edu ntplx.net pdgamedev.com posteo.de pstatic.net rio2016.com samba.org shat.net sumologic.com svwh.net symantec.com tensquaregames.com thefacebook.com tsheets.com unfcu.org uni-sofia.bg weddingwire.com 1. https://github.com/zmap/zdns 2. https://blog.opendns.com/2016/12/14/cisco-umbrella-1-million/ Royce
participants (4)
-
Eric Tykwinski
-
Mark Andrews
-
Nolan Berry
-
Royce Williams