locked
CAA record not being returned by name servers RRS feed

  • Question

  • I logged a question on ServerFault on Friday regarding CAA records. This is the same text.

    CAA records were introduced to Azure DNS in November 2017.

    Today, I attempted to add one to a new DNS zone I created in US East 2.

    I used the cloud Powershell so I wouldn't have to wrestle with AzureRM module version problems.

    $records = @()
    $records += New-AzureRmDnsRecordConfig -Caaflags 0 -CaaTag "issue" -CaaValue "issuernumberone.com"
    $records += New-AzureRmDnsRecordConfig -Caaflags 0 -CaaTag "issue" -CaaValue "issuernumbertwo.org"
    $records += New-AzureRmDnsRecordConfig -Caaflags 0 -CaaTag "iodef" -CaaValue "mailto:me@mydomain.com"
    New-AzureRmDnsRecordSet -Name "caa" -RecordType CAA -ZoneName mydomain.com -ResourceGroupName DNS-rg -Ttl 3600 -DnsRecords $records
    
    Get-AzureRmDnsRecordSet -RecordType CAA -ZoneName mydomain.com -ResourceGroupName DNS-rg
    

    The commands all worked flawlessly. I was able to create and save the recordset. I was able to retrieve the recordset.

    But dig tells another story.

    $ dig mydomain.com @ns1-03.azure-dns.com. CAA
    
    ; <<>> DiG 9.10.3-P4 <<>> mydomain.com @ns1-03.azure-dns.com. CAA
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51663
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4000
    ;; QUESTION SECTION:
    ;mydomain.com.                        IN      CAA
    
    ;; AUTHORITY SECTION:
    mydomain.com.         300     IN      SOA     ns1-03.azure-dns.com. azuredns-hostmaster.microsoft.com. 1 3600 300 2419200 300
    
    ;; Query time: 39 msec
    ;; SERVER: 40.90.4.3#53(40.90.4.3)
    ;; WHEN: Fri Apr 06 16:29:56 Central Daylight Time 2018
    ;; MSG SIZE  rcvd: 126
    

    I have other DNS providers with working CAA records. These results are not correct. I also tried with "type257" instead of CAA.

    Furthermore, the CAA record type does not appear in the Azure DNS portal blade.


    • Edited by lsilverman Tuesday, April 10, 2018 12:16 AM Removing snark
    Monday, April 9, 2018 3:47 PM

Answers

  • Hello @lsilverman,

    In your example you have created a CAA recordset with name "caa" but in your dig command you are actually using just the zone name (mydomain.com) instead of the recordset name (caa.mydomain.com). If you read the documentation for dig command it expects you to provide the recordset name, not the zone name. So you should modify your command to use for example "dig caa.mydomain.com @ns1-03.azure-dns.com. CAA".


    • Marked as answer by lsilverman Monday, April 9, 2018 10:43 PM
    Monday, April 9, 2018 10:38 PM

All replies

  • Hello @lsilverman,

    In your example you have created a CAA recordset with name "caa" but in your dig command you are actually using just the zone name (mydomain.com) instead of the recordset name (caa.mydomain.com). If you read the documentation for dig command it expects you to provide the recordset name, not the zone name. So you should modify your command to use for example "dig caa.mydomain.com @ns1-03.azure-dns.com. CAA".


    • Marked as answer by lsilverman Monday, April 9, 2018 10:43 PM
    Monday, April 9, 2018 10:38 PM
  • Ugh. I'm trying to put a record on the domain. So I need -name "*". My mistake. (EDIT: Should be "@", not "*")
    • Edited by lsilverman Tuesday, April 10, 2018 12:04 AM fixing
    Monday, April 9, 2018 10:43 PM
  • No worries, note that if you want the CAA record at the zone apex you need the recordset name to be "@" not *. 
    Monday, April 9, 2018 10:48 PM
  • Perfect, thanks.
    Tuesday, April 10, 2018 12:04 AM