Allow CAA records in DH's DNS


#1

DNS certification authority authorization (CAA) resource records (rfc6844) allow us to declare which certificate authorities are allowed to issue a certificate for a domain.
SSL Labs is already checking for CAA records.


#2

Please add this to the Web Hosting Control Panel. I’ve already had this come up from a security audit.


#3

Did you contact Dreamhost support? They might be able to add for you. The more requests they get for something like that the faster you will see customer level support via the panel.


#4

+1. See https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

And yes, I just submitted my support request for it too.


#5

I, too, would like this capability.


#6

And as a follow-up, support says CAA DNS records are not currently supported, so asking them for it just underscores the need for this suggestion at this point.


#7

Hello folks, thanks for chiming in on this one. The issue is on DreamHost developer’s radar. I don’ t have an ETA yet but I’ll be reporting here any progress I will see on the internal issue.


#8

It is October now, and the initial request was made back in April. The DNS resource type ‘CAA’ is an RFC spec that has been included in BIND since 2016. It is supported by most all other registrars. See: https://sslmate.com/caa/support

This needs to be a priority. Do I really need to change registrars to enable CAA security? Please fix this Dreamhost.


#9

It is now December of 2017 with no current support in the panel to add CAA records. I’ve tweeted @dreamhostcare and am waiting to hear back. If I have to, I’ll open a support ticket to see if they can manually add the record for me.


#10

Since Lets Encrypt is auto supported. Would be great if the CAA record also can be auto added for DNS domains hosted with Dreamhost.


#11

Did you receive a reply?


#12

They said they have no plan to add support for CAA:
https://twitter.com/bltjetpack/status/943132664130949120


#13

Didn’t this become like required in Sept of 2017…

Seems crazy that this is not supported yet.


#14

There are requests that have been sitting for years and commitments from Dreamhost that have been waiting for years.

I would not expect anything anytime soon Dreamhost is slow to add features.


#15

Well pretty sure this is like a requirement for CA’s to issue certs, they have to check the CAA record in the dns for the domain. So if they do not support it how and the F is anyone going to use them for dns for their domains? How are they going to run their own ACME certs on your domains, etc. If you can not put in the CAA record…


#16

Dreamhost: can you please add CAA support to DNS?
See RFC6844

This is a widely adopted industry standard. Notice this list, how nearly all hosting providers support it (except for dreamhost): https://sslmate.com/caa/support

The list include Google, Cloudflare, Azure, 1&1, etc.

It is also supported by all DNS servers:
BIND, dnsmasq, Knot DNS, ldns, NSD, OpenDNSSEC, PowerDNS, Simple DNS Plus, tinydns.

Hell, even Windows Server 2016 supports CAA records.

Please enable this for your customers?


#17

But most importantly, it is now a CA/Browser Forum mandate. :hushed:


#18

I received this message from Dreamhost this morning:

Thanks for contacting DreamHost. The version of PowerDNS DreamHost uses
does not support CAA records so we are unable to enable this feature. We
are currently in the planning stages on upgrading our name server
software but don’t have an ETA when this will be completed. Sorry for the
inconvenience.

PowerDNS with CAA support was released in July of 2016 so… Dreamhost is just lagging 1.8 years behind applying the update. :disappointed_relieved:


#19

Just stumbled upon this since I also wanted to add a CAA record to my registration. Considering the original request is over one year old and they’re still not supported I’ll probably have to switch to another registrar when it’s time to renew my registration.


#20