So I’ve come across this on Qualys and just wondering if there’s any practical examples out there in the wild.
I know some BIND guys are on here, so I’m sure I’m missing something from the RFCs.
Just wanted to test this out on my play domains before putting it out in the wild...
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
So a quick look into this I see one potential real world example:
;; ANSWER SECTION:
google.com. 129 IN A 216.58.218.142
google.com. 74411 IN NS ns4.google.com.
google.com. 74411 IN NS ns1.google.com.
google.com. 74411 IN NS ns2.google.com.
google.com. 74411 IN NS ns3.google.com.
google.com. 3054 IN TXT "v=spf1 include:_spf.google.com ~all"
google.com. 64 IN AAAA 2607:f8b0:4000:802::200e
google.com. 54475 IN TYPE257 \# 19 0005697373756573796D616E7465632E636F6D
In RFC 6844 section 7.1 it states
"IANA has assigned Resource Record Type 257 for the CAA Resource Record Type"
and I am seeing:
google.com. 54475 IN TYPE257 \# 19 0005697373756573796D616E7465632E636F6D
Nolan Berry
Linux Systems Engineer
DNS Engineering
Rackspace Hosting
As of 2016-12-31, here are CAA records for 143 domains:
https://gist.github.com/roycewilliams/a5b2d26edf3b64ecf77a75f943de079f
That gist contains all CAA (or unparsed/raw type 257) records as seen
in the Rapid7 "DNS ANY" dataset [1] from 2016-12-31.
Interestingly, google.com as noted by Nolan side-thread isn't in this
dataset. Since "DNS ANY" is a superset of all DNS picked up by other
scans, it may be that Rapid7's scanning isn't incidentally catching
many CAA records. An explicit scan for CAA records (against, say, in
all domains seen in DNS ANY) would likely be interesting.
Also, I've requested that cPanel add CAA support to the DNS management
tools. If that would be of use to you, feel free to upvote the feature
[2].
Some good CAA refs are [3],[4],and [5].
Royce
1. https://scans.io/study/sonar.fdns
2. https://features.cpanel.net/topic/add-support-for-caa-dns-records-type-257
3. https://tools.ietf.org/html/rfc6844
4. https://sslmate.com/labs/caa/ (includes info on which CAs support
them; it's early)
5. https://blog.dnsimple.com/2017/01/introducing-caa-records/
Or use up-to-date code. CAA support was added in BIND 9.8.8 (already
end of lifed), BIND 9.9.6, BIND 9.10.1 and BIND 9.11.0.
[rock:~/git/bind9] marka% dig caa google.com
;; BADCOOKIE, retrying.
; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> caa google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42490
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5f52c5d222feb5c9583cb70c587ee11a8f16c403c5fdbbd5 (good)
;; QUESTION SECTION:
;google.com. IN CAA
;; ANSWER SECTION:
google.com. 86400 IN CAA 0 issue "symantec.com"
;; Query time: 192 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 18 14:29:30 EST 2017
;; MSG SIZE rcvd: 98
[rock:~/git/bind9] marka%
Anyway this is a good real life example of how you can add new types
and have them be looked up without having to update the servers or
the clients. "dig TYPE257 google.com" would have also worked.
Mark
[snip of CAA-record intro stuff]
An explicit scan for CAA records (against, say, in
all domains seen in DNS ANY) would likely be interesting.
Out of curiosity, I used zscan/zdns [1] to scan the OpenDNS top 1
million domains [2] for CAA records.
Only 37 popped up:
appspot-preview.com
appspot.com
centos.org
comodo.com
compricer.se
csswg.org
dnsimple.com
ekom21.de
entrust.net
fu-berlin.de
google.com
googleusercontent.com
hr.nl
hro.nl
instantssl.com
intra.net
magticom.ge
mail.de
minuporno.com
mobileread.com
monash.edu
ntplx.net
pdgamedev.com
posteo.de
pstatic.net
rio2016.com
samba.org
shat.net
sumologic.com
svwh.net
symantec.com
tensquaregames.com
thefacebook.com
tsheets.com
unfcu.org
uni-sofia.bg
weddingwire.com
1. GitHub - zmap/zdns: Fast CLI DNS Lookup Tool
2. https://blog.opendns.com/2016/12/14/cisco-umbrella-1-million/
Royce