DNS: CAA

Usage of CAA records in the campus Infoblox service

A CAA record is used to specify which certificate authorities are allowed to issue certificates for a domain.  This verification is done by the certificate issuer before a certificate is generated, and is not used by SSL client hosts to verify connection integrity or SSL certificate validity.  The current Infoblox software does not allow you to create a CAA certificate via the web portal user interface though it it possible for the campus hostmaster to create the records for you, if needed.  As these records are not fully supported the current recommendation is to not use them if possible, full software support will be available in a future software release.   For any questions regarding CAA records, email hostmaster@wisc.edu

As of version 8.x, infoblox natively supports CAA records.  The following steps are listed only to annotate the humorous method by which unsupported record types could be jammed into infoblox.

CAA Record Generator


e.g. on ipam-lab, from ipam-lab, with ddns updates configured for ipam-lab...

Infoblox > ddns_add blodgett.wisc.edu 3600 TYPE257 "\# 20 000569737375657573657274727573742E636F6D"

[timc@grunt ~]$ dig vetmed.wisc.edu CAA +short
0 issue "usertrust.com"
[timc@grunt ~]$ dig @ipam-lab.doit.wisc.edu blodgett.wisc.edu CAA +short
0 issue "usertrust.com"


-or-

[timc@grunt ~]$ nsupdate
> server 144.92.9.21
> update add bact.wisc.edu 3600 CAA 0 issue "usertrust.com"
> send
> quit




Keywords:DNS CAA SSL unsupported TYPE TYPE257   Doc ID:80059
Owner:Tim C.Group:DNS, DHCP, and IPAM
Created:2018-02-12 09:24 CSTUpdated:2019-12-02 13:49 CST
Sites:DNS, DHCP, and IPAM
Feedback:  0   0