cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution
Advocate I

Add a Certification Authority Authorization (CAA) Record

We would like to know if GoDaddy have plans or a time frame for implementing a Certification Authority Authorization (CAA) Record in your DNS system?

 

The CAA record/s allow domain owners/managers to determine which Certificate Authorities (CA) can issue certificates for their domain. Combined with your existing DNSSEC capabilities it would be very beneficial from an issuance and security perspective. Adoption from CA's to check the CAA record is still low at this stage, however, it is likely to see more widespread adoption moving forward in the short term.

 

P.S. I placed this under the SSL and Security location, as it is a security related issue as well. However, it would likely be better placed in a DNS category. 

1 ACCEPTED SOLUTION

As mentioned in previous replies, it is possible to add a CAA record through GoDaddy DNS.  Please check out the following article for instructions on how to add a CAA record: https://www.godaddy.com/help/add-a-caa-record-27288. 

 

 

View solution in original post

43 REPLIES 43
Helper V

@ZeusDB This is something Godaddy needs to support. Sadly I have noticed that when it comes to new security standard Godaddy tends to fall behind.  hopefully if enough people request this feature they will add support. Also to note Godaddy doesn't respect the CAA Record and will issue Certs for a domain as long as it passes Validation even if the CAA Record does not list Godaddy/Digicert as an authorized certificate issuer. 

As an alternative you can use HTTP Public Key Pinning (HPKP) 

I would also like to see this!

I would also, also like to see this.

 

I presume from the topic existing, there's no way to actually hand edit my zonefile here is there?

 

Edit: I found the import/export - works fine but no recognition so back up to yeah - please support this.

 

 

Pinning is a can of worms.

 

If you ever are so foolish as to setup Pinning, then you can never change IP addresses or better said...

 

Anytime you have a site visitor, while Pinning is enabled, then the Pin is cached.

 

If you have to change your site IP, server crashes + your hosting company moves your site or you change hosting companies, then anyone who visits your site again, will get an SSL error, because they have a Pinned Site IP cached + your Site IP has changed.

 

The reason CAA was developed was to fix the brokenness of Pinning.

 

So avoid Pinning + use CAA records instead.

New

Ditto. Please add support for DNS CAA. Initially, it's fine to limit support to the DNS system. Eventually, the GoDaddy certificate issuance system should respect existing CAA records. 

Ditto if my post adds... 🙂

Yes, please add this feature - and set up GoDaddy to respect this type of record.

Employee

Thank you for raising this issue. We evaluate updating information in the DNS on an ongoing basis. CAA is certainly something that we have been looking at. Adding to the DNS and retroactively updating millions of records is a complex operation. We evaluate each change based on market needs and technical challenges. Please stay tuned for specific updates. 

 

Manish Vaidya, 

Sr Product Manager,

Domains

Looks like dnsimple supports this already:

https://support.dnsimple.com/articles/manage-caa-record/

 

SSL Labs reports this as an issue (but doesn't take off points yet):

https://www.ssllabs.com/ssltest/

 

Maybe you could allow customers to create these records with your UI now and worry about automatically creating/validating them later?

 

More information:

https://support.dnsimple.com/articles/caa-record/

How is this "solved"? Please provide a solution how to add CAA records.

Is there an update to this?  This got brought up in our last audit and I need to know how I can move forward.  Thanks.

 

 

Godaddy voted yes for making checking this mandatory, so I'm hoping you have plans to get it in soon!

 

https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/

 


 


Adding to the DNS and retroactively updating millions of records is a complex operation.

Huh?  No retroactive update of existing DNS resource records is needed.  CAA will only be used for new records that customers want to for that type.


@fantasticmv wrote:

Thank you for raising this issue. We evaluate updating information in the DNS on an ongoing basis. CAA is certainly something that we have been looking at. Adding to the DNS and retroactively updating millions of records is a complex operation. We evaluate each change based on market needs and technical challenges. Please stay tuned for specific updates. 

 

Manish Vaidya, 

Sr Product Manager,

Domains


Any update here?  Seems like it's been 3 months since an employee responded.  This is the top result when I tried to find information so I wanted to jump in and say "Hey, don't forget about this!"

 

Essentially, you guys are dramatically falling behind if you don't support it. It's worth switching to another company, for me, if you guys do not get it in by the end of the year.  Please let us know, either way, so we can start shopping around if necessary!

As it's been some months ahead - What is GoDaddy's plans for adding CAA record support?  Even the standard tools are now supporting it.

Any update on this ?

New

The CAA checking will become effective starting September 8th, 2017.

Is this feature already planned? If not, is there a work around for the time being?

Definitely does not sound like a solved solution...

New

Can we get some clarity on what GoDaddy is planning on this one?

 

I've got a security review on answer for.

Just chatted with Nelli, who referred me back to this thread. Quick update - there is none.

Q: How we will be notified about CAA record availability?

A: We will send emails to customers 

 

Q: Are you aware that deadline is 9/2017 for this?

A: We don't have update on it yet but we'll get that details once it is ready.

 

Guess at this point more people need to keep bugging till we get at least ETA.

GoDaddy should be concerned about my SSL Labs "A" rating, for the sole reason that I am concerned about it.  If my SSL Labs rating drops below an "A", I will move all of my domains to a company that is more concerned about their clients and is willing to do what it takes to keep them happy.

 

 

I also need CAA to be supported immediately.  As noted in the above comment, I too will move all of my domains to a company more focused on security if my SSL Labs rating drops below an "A".  

Is there a date set yet when GoDaddy will be supporting CAA records???