DO Ideas 2

Add DNS CAA support to the DNS manager

I would like to see an implemention to support DNS CAA in DOs DNS controllpanel.

DNS Certification Authority Authorization (CAA) uses the Internet's Domain Name System to specify which certificate authorities may be regarded as authoritative for a domain. This is intended to support additional cross-checking at the client end of TLS connections to attempt to prevent certificates issued by CAs other than the specified CAs from being used to spoof the identity of websites or perform man-in-the-middle attacks on them.

If we would run a certain CA on our websites, we can specify that in our DNS settings and the security is enhanced for our website when it comes to possible MitM.

Thanks!

  • Tobias Ehlert
  • Sep 11 2018
  • Shipped
  • Sep 11, 2018

    Admin Response

    Hello everybody, First, I would like to thank you for your patience and for bringing this request to us. Today we updated our DNS panel and API to allow the creation of CAA records, and our DNS infrastructure will reply to CAA queries. We created a tutorial with instructions on how to create and manage CAA records: https://www.digitalocean.com/community/tutorials/how-to-create-and-manage-caa-records-using-digitalocean-dns You can also create CAA records using the API. The command below will create a CAA record allowing Let's Encrypt to create certs for the domain "mydomain.com": curl -X POST -d '{"type":"CAA","name":"@","data":"letsencrypt.org.","priority":null,"port":null,"ttl":1800,"flags":0,"tag":"issue"}' -H "Content-Type: application/json" -H "Authorization: Bearer $DIGITALOCEAN_TOKEN" https://api.digitalocean.com/v2/domains/mydomain.com/records We will still make a few adjustments, and more documentation will be updated in the next few weeks, but today's update should be enough to get you started. If you have more suggestions, please send them through UserVoice, we do listen to your feedback. Thanks a lot
  • Attach files
  • Alexandre commented
    September 11, 2018 16:10

    This is marked as complete, however it is missing an important feature:

    - Providing ';' (meaning none) as to list of CA that can issue certificates.

    This allow to request that no CA should issue certificate.

    I believe the most common use would be along with the 'issuewild' flag. A lot of people don't need or want to use wildcard cert

  • jp commented
    September 11, 2018 16:10

    Great work, just in time! thanks!

  • Alistair MacDonald commented
    September 11, 2018 16:10

    You guys are awesome! Thanks so much!

  • Andrew Ensley commented
    September 11, 2018 16:10

    Great! Thank you so much!

  • Über Nomad commented
    September 11, 2018 16:10

    Awesome stuff, Thank you !

  • Dennis Xiloj commented
    September 11, 2018 16:10

    Definitely +3 (my current domains managed in DO)

  • Michael Mawhinney commented
    September 11, 2018 16:10

    September rapidly approaches. Please at the very least post an update on the status of your implementation plan. Thank you!

  • Michael Mawhinney commented
    September 11, 2018 16:10

    September rapidly approaches. Please at the very least post an update on the status of your implementation plan. Thank you!

  • daftcloud commented
    September 11, 2018 16:10

    +1

  • Anonymous commented
    September 11, 2018 16:10

    Hoping this will be available shortly!

  • Matt Nordhoff commented
    September 11, 2018 16:10

    Peter, it will not be mandatory for domains to use CAA records. It will only be mandatory that CAs start to check them.If no CAA records exist, the CA will issue as before.

  • Peter commented
    September 11, 2018 16:10

    Please at least let us know if you will implement this before 9/8/2017. If not, people will need to move to a DNS provider that allows CAA records as they become mandatory. Please communicate openly and honestly, we need an exact date of implementation, or at least the confirmation that you can't implement before 9/8/2017. I certainly hope you can. Thank you.

  • Zahidul commented
    September 11, 2018 16:10

    +1

  • Anonymous commented
    September 11, 2018 16:10

    ++++

  • Mike commented
    September 11, 2018 16:10

    +++

  • Ivan commented
    September 11, 2018 16:10

    +++ !!!

  • David Peters commented
    September 11, 2018 16:10

    +∞

  • Will Robinson commented
    September 11, 2018 16:10

    +1

  • Anonymous commented
    September 11, 2018 16:10

    Any update other than "Gathering Feedback?" This "feature" is mandatory for TLS/SSL certificate issuance as of September 2017.

  • Gregor commented
    September 11, 2018 16:10

    +1

  • Concorrência commented
    September 11, 2018 16:10

    News?

  • Charles Snider commented
    September 11, 2018 16:10

    Fantastic response!

  • Alistair MacDonald commented
    September 11, 2018 16:10

    This is really great news!! Thanks Rafael.

    > "We are working on a plan to deliver this feature. We don’t have an official announcement yet, but expect some updates soon. Thanks for your feedback and support."

  • Anonymous commented
    September 11, 2018 16:10

    Any news on this?

  • Nick Frost commented
    September 11, 2018 16:10

    +1 for this, I will probably move to a third party DNS provider in the meantime.

  • Jani Lahti commented
    September 11, 2018 16:10

    Just to make sure this issue isn't forgotten.

  • Evgeni Vachkov commented
    September 11, 2018 16:10

    --- Email received today from DigitalOcean Support Team in response of my support request ---

    Hello Evgeni,

    Thank you for reaching out to us.

    I apologize for the inconvenience that this is causing, but at this time we do not have an ETA on when CAA will be supported. We appreciate your understanding on this and I am sorry that we haven't been able to provide you with more detailed information at this point.

    We would hate to see you go, but we also understand that you have business needs that need to be met. If we have any updates in regards to plans to support CAA, our product team will update the UserVoice page with any evolving information.

    I hope this information is helpful. Please let us know if you have any additional questions!

    Regards,

    Haley
    Platform Support Specialist
    DigitalOcean

  • Evgeni Vachkov commented
    September 11, 2018 16:10

    All, would reccomend everyone opens a ticket with Digital Ocean support team by end of this week. I am sure they will notice the 200+ support tickets coming all at once :-D

  • Daniyar Chambylov commented
    September 11, 2018 16:10

    +1

  • Billy Zsigray commented
    September 11, 2018 16:10

    +1 please this issues is affecting me as well.

  • Anonymous commented
    September 11, 2018 16:10

    +1

    less than 5 months left for DO to implement this. use becomes mandatory worldwide September 2017.

  • Karsten Wolniak commented
    September 11, 2018 16:10

    +1

  • Ron commented
    September 11, 2018 16:10

    +1

    Especially since it will shortly (9/8/2017) become mandatory for CAs to check for a CAA record before issuing a cert. This will affect all of us who use LetsEncrypt issued certs since they are renewed every 90 days. Please implement DNS CAA records so we can all be compliant and safe. Thanks.

  • Uber commented
    September 11, 2018 16:10

    I would also like to see this happening :)

  • Linc Madison commented
    September 11, 2018 16:10

    Beginning 2017-09-08, all Certificate Authorities will be MANDATED to check the CAA record for a domain before issuing a certificate! <https://cabforum.org/pipermail/public/2017-March/009988.html>

  • Anonymous commented
    September 11, 2018 16:10

    +1

  • Paul Williams commented
    September 11, 2018 16:10

    +1

  • Blair Mitchelmore commented
    September 11, 2018 16:10

    +1

  • Sharevari commented
    September 11, 2018 16:10

    Hello Rafael Rosa, any ETA?

    Regards

  • Anonymous commented
    September 11, 2018 16:10

    +1

    I too need this.

  • Andrew Ensley commented
    September 11, 2018 16:10

    Please add this. This is a valuable security enhancement.

  • Anonymous commented
    September 11, 2018 16:10

    up!

  • Evgeni Vachkov commented
    September 11, 2018 16:10

    Digital Ocean will make quite a few clients happy if DNS CAA support is implemented. Our r&d tax website https://rndtax.co.uk currently shows as 'CAA record missing' on SSL Lab's test which we want to fix!

    Suggest everyone to also submit a support ticket to Digital Ocean to highlight importance of this feature.

  • Alex commented
    September 11, 2018 16:10

    +1

  • Raito commented
    September 11, 2018 16:10

    Admin really hear us ?

  • Steven Roy commented
    September 11, 2018 16:10

    I use Digital Ocean because they are often ahead of the curve. This missing feature is not in keeping with that general philosophy

  • Phillip Moore commented
    September 11, 2018 16:10

    +1

  • Dan Bailey commented
    September 11, 2018 16:10

    God yes. This needs to happen a month ago.

  • andy commented
    September 11, 2018 16:10

    FIRE! +1

  • DronCode commented
    September 11, 2018 16:10

    +1

  • Egor Kokorin commented
    September 11, 2018 16:10

    +1

  • Ian Tearle commented
    September 11, 2018 16:10

    +1

  • Sharevari commented
    September 11, 2018 16:10

    +1

  • Raito commented
    September 11, 2018 16:10

    +1
    Please YES !

  • Tov Are Jacobsen commented
    September 11, 2018 16:10

    +1 I want my A+ back and CAA seem like a sensible feature. :-)

  • Shel commented
    September 11, 2018 16:10

    +1
    I and my clients to need.
    in future SSL come to all website in internet

  • Anonymous commented
    September 11, 2018 16:10

    Yes, please.

  • Anonymous commented
    September 11, 2018 16:10

    Yes we would like this feature implemented please!

  • Michael Mawhinney commented
    September 11, 2018 16:10

    +1

  • epiekarc commented
    September 11, 2018 16:10

    Like to see this also

  • Anonymous commented
    September 11, 2018 16:10

    I just ran a test at https://www.ssllabs.com/ssltest/analyze.html everything came back great except CAA record missing. Went to add it on digital ocean networking tab... No option to add it.

    This would be a good addition

  • Fred commented
    September 11, 2018 16:10

    I would vote if I had votes left. This is a good one.

  • Anonymous commented
    September 11, 2018 16:10

    I second this motion.

  • Rafael Rosa commented
    September 11, 2018 16:10

    That's and interesting suggestion, thanks.