cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution
Advocate I

Add a Certification Authority Authorization (CAA) Record

We would like to know if GoDaddy have plans or a time frame for implementing a Certification Authority Authorization (CAA) Record in your DNS system?

 

The CAA record/s allow domain owners/managers to determine which Certificate Authorities (CA) can issue certificates for their domain. Combined with your existing DNSSEC capabilities it would be very beneficial from an issuance and security perspective. Adoption from CA's to check the CAA record is still low at this stage, however, it is likely to see more widespread adoption moving forward in the short term.

 

P.S. I placed this under the SSL and Security location, as it is a security related issue as well. However, it would likely be better placed in a DNS category. 

43 REPLIES 43
Helper V
Helper V

Re: Add a Certification Authority Authorization (CAA) Record

@ZeusDB This is something Godaddy needs to support. Sadly I have noticed that when it comes to new security standard Godaddy tends to fall behind.  hopefully if enough people request this feature they will add support. Also to note Godaddy doesn't respect the CAA Record and will issue Certs for a domain as long as it passes Validation even if the CAA Record does not list Godaddy/Digicert as an authorized certificate issuer. 

As an alternative you can use HTTP Public Key Pinning (HPKP) 

Re: Add a Certification Authority Authorization (CAA) Record

I would also like to see this!

Re: Add a Certification Authority Authorization (CAA) Record

I would also, also like to see this.

 

I presume from the topic existing, there's no way to actually hand edit my zonefile here is there?

 

Edit: I found the import/export - works fine but no recognition so back up to yeah - please support this.

 

 

New

Re: Add a Certification Authority Authorization (CAA) Record

Ditto. Please add support for DNS CAA. Initially, it's fine to limit support to the DNS system. Eventually, the GoDaddy certificate issuance system should respect existing CAA records. 

New

Re: Add a Certification Authority Authorization (CAA) Record

Ditto if my post adds... 🙂

Re: Add a Certification Authority Authorization (CAA) Record

Yes, please add this feature - and set up GoDaddy to respect this type of record.

Employee
Employee

Re: Add a Certification Authority Authorization (CAA) Record

Thank you for raising this issue. We evaluate updating information in the DNS on an ongoing basis. CAA is certainly something that we have been looking at. Adding to the DNS and retroactively updating millions of records is a complex operation. We evaluate each change based on market needs and technical challenges. Please stay tuned for specific updates. 

 

Manish Vaidya, 

Sr Product Manager,

Domains

Re: Add a Certification Authority Authorization (CAA) Record

Looks like dnsimple supports this already:

https://support.dnsimple.com/articles/manage-caa-record/

 

SSL Labs reports this as an issue (but doesn't take off points yet):

https://www.ssllabs.com/ssltest/

 

Maybe you could allow customers to create these records with your UI now and worry about automatically creating/validating them later?

 

More information:

https://support.dnsimple.com/articles/caa-record/

New

Re: Add a Certification Authority Authorization (CAA) Record

How is this "solved"? Please provide a solution how to add CAA records.

Re: Add a Certification Authority Authorization (CAA) Record

Is there an update to this?  This got brought up in our last audit and I need to know how I can move forward.  Thanks.

 

 

New

Re: Add a Certification Authority Authorization (CAA) Record

The CAA checking will become effective starting September 8th, 2017.

Is this feature already planned? If not, is there a work around for the time being?

Definitely does not sound like a solved solution...

New

Re: Add a Certification Authority Authorization (CAA) Record

Godaddy voted yes for making checking this mandatory, so I'm hoping you have plans to get it in soon!

 

https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/

 


 


Adding to the DNS and retroactively updating millions of records is a complex operation.

Huh?  No retroactive update of existing DNS resource records is needed.  CAA will only be used for new records that customers want to for that type.

Re: Add a Certification Authority Authorization (CAA) Record


@fantasticmv wrote:

Thank you for raising this issue. We evaluate updating information in the DNS on an ongoing basis. CAA is certainly something that we have been looking at. Adding to the DNS and retroactively updating millions of records is a complex operation. We evaluate each change based on market needs and technical challenges. Please stay tuned for specific updates. 

 

Manish Vaidya, 

Sr Product Manager,

Domains


Any update here?  Seems like it's been 3 months since an employee responded.  This is the top result when I tried to find information so I wanted to jump in and say "Hey, don't forget about this!"

 

Essentially, you guys are dramatically falling behind if you don't support it. It's worth switching to another company, for me, if you guys do not get it in by the end of the year.  Please let us know, either way, so we can start shopping around if necessary!

New

Re: Add a Certification Authority Authorization (CAA) Record

Can we get some clarity on what GoDaddy is planning on this one?

 

I've got a security review on answer for.

Re: Add a Certification Authority Authorization (CAA) Record

Just chatted with Nelli, who referred me back to this thread. Quick update - there is none.

Q: How we will be notified about CAA record availability?

A: We will send emails to customers 

 

Q: Are you aware that deadline is 9/2017 for this?

A: We don't have update on it yet but we'll get that details once it is ready.

 

Guess at this point more people need to keep bugging till we get at least ETA.

Re: Add a Certification Authority Authorization (CAA) Record

GoDaddy should be concerned about my SSL Labs "A" rating, for the sole reason that I am concerned about it.  If my SSL Labs rating drops below an "A", I will move all of my domains to a company that is more concerned about their clients and is willing to do what it takes to keep them happy.

 

 

Re: Add a Certification Authority Authorization (CAA) Record

I also need CAA to be supported immediately.  As noted in the above comment, I too will move all of my domains to a company more focused on security if my SSL Labs rating drops below an "A".  

Is there a date set yet when GoDaddy will be supporting CAA records???

New

Re: Add a Certification Authority Authorization (CAA) Record

Vote here for CAA support with our DNS service at GoDaddy.

Re: Add a Certification Authority Authorization (CAA) Record

This missing feature needs to be resolved now. I cannot risk our rating being lowered because GoDaddy do not support this and therefore will be forced to move to domains to a provider that does support CAA records.

Re: Add a Certification Authority Authorization (CAA) Record

Count me as another corporate customer who will be forced to move to another DNS provider in mid August, if GoDaddy fails to provide support for adding CAA records to our DNS by then.  

 

Since GoDaddy voted to make this a mandatory setting, making us wait so long without any meaningful information about your plans to let us use this feature is somewhere between "bad customer relations" and "simply horrifying".

Re: Add a Certification Authority Authorization (CAA) Record

As it's been some months ahead - What is GoDaddy's plans for adding CAA record support?  Even the standard tools are now supporting it.

Helper II

Re: Add a Certification Authority Authorization (CAA) Record

Pinning is a can of worms.

 

If you ever are so foolish as to setup Pinning, then you can never change IP addresses or better said...

 

Anytime you have a site visitor, while Pinning is enabled, then the Pin is cached.

 

If you have to change your site IP, server crashes + your hosting company moves your site or you change hosting companies, then anyone who visits your site again, will get an SSL error, because they have a Pinned Site IP cached + your Site IP has changed.

 

The reason CAA was developed was to fix the brokenness of Pinning.

 

So avoid Pinning + use CAA records instead.

Re: Add a Certification Authority Authorization (CAA) Record

Any update on this ?

Re: Add a Certification Authority Authorization (CAA) Record

Yeah seriously, any reply to this? It's been half a year since this thread was posted and no reply from GoDaddy? 

How difficult can it be to add 1 small/simple field to an existing piece of architecture like the hosted DNS Godaddy provides. 

 

This can't be more than a few dozen lines of code at max. 

 

Why is GoDaddy taking so long to implement a simple feature? We're going to have to migrate off of GoDaddy's outdated hosted DNS because they don't support a simple feature to guarantee the security of our site.

 

Come on GoDaddy get your S*** together already.

 

Thumbs down BOOOOOOOOOOOOOOO

 

 

 

New

Re: Add a Certification Authority Authorization (CAA) Record

I agree, the support is already on the back end, or at least should be.  They should only need to add another option to the drop down box to allow the creation of that specific record type.  I mean if I can create the record in BIND with no issues on my own server why should GoDaddy not be able to.  I really wonder if they should be as big as they are if they can not make one simple change.  Sadly quite a few other DNS hosts just piggyback on GoDaddy so a significant portion of them will not support this either.

Re: Add a Certification Authority Authorization (CAA) Record

Add me to the list of wanters.

Re: Add a Certification Authority Authorization (CAA) Record

This is business critical for anyone in the need of SSL certificates. Get a move on Godaddy please, or we have to look for another vendor!

Re: Add a Certification Authority Authorization (CAA) Record

If I host my own DNS servers and they support CAA , but I'm using a GoDaddy certificate, can I add a GoDaddy CAA record (ex: CAA 0 issue "godaddy.com"), or is there some verification process that will fail on GoDaddy's end?

Re: Add a Certification Authority Authorization (CAA) Record

GoMamaMia;

In short no. It won't break anything on GoDaddy's end. Your DNS records will reflect that GoDaddy is the assigned certificate authority for your domain. The CAA record (should) be checked upon creation of a new certificate by whatever authority is doing the issuing, so if you tried to get a certificate from another provide that supports CAA they will reject your request (CSR). However, it's horrible that A) GoDaddy doesn't provide through their DNS service a simple drop-down to allow adding this type of record and B) as far as I can tell doesn't care at all about actually enforcing checking CAA records before issuance of a certificate.

Re: Add a Certification Authority Authorization (CAA) Record

I agree, the real problem is the lack of DNS support at GoDaddy. I'm sure it's more complicated than simply adding a CAA record option, as it likely involves proxy configurations and hardware changes. But they should have provided us with a transition date by now. The only explanation is what you said...they don’t care.

Re: Add a Certification Authority Authorization (CAA) Record

Tomorrow is 9/1. We've got about one week until the September 8th deadline. This change will take some work on our part, especially administrators having to add this to several domain DNS records.

 

Is there any update on this?

Re: Add a Certification Authority Authorization (CAA) Record

It appears that CAA records are now available in the DNS management area.

 

Thank you GoDaddy!

Re: Add a Certification Authority Authorization (CAA) Record

Bug ?

 

"An unexpected error occurred. If this issue continues, contact support."

Re: Add a Certification Authority Authorization (CAA) Record

Same

Re: Add a Certification Authority Authorization (CAA) Record

Interesting, I'm having the same error after transferring my DNS back to GoDaddy again. 

 

Disappointing, but I hope it will be resolved soon.

Re: Add a Certification Authority Authorization (CAA) Record

Had the same bug.  Found if I entered 1 for the flag (critical value) instead of 0 it stored the value 0 and allowed the record to be saved.

 

 

Since then adding CAA records in exactly the same way as I tried originally but for additional domains worked today as expected without any error, so I have to assume the reason for the error was resolved by GoDaddy between then and now.  Posts below show how to enter the records.

 

As well, for all the domains that originally demonstrated the error and for which I used my previous work around, I found they all appeared normal today as CAA records in my domain info, including additional entries that were host specific that I gave up on and forgot I tried to enter.  I have to assume that the failed results actually worked last week even though they would not display at the time and instead only generate the error responses.  

 

Yay it seems to now work as expected and the failed attempts appear to be present as well.

Re: Add a Certification Authority Authorization (CAA) Record

I can't seem to get a CAA record added under any circumstances, due to the error "An unexpected error occurred. If this issue continues, contact support." What entries did you put into the form at GoDaddy to make it work? The form offers several fields. Here's what I tried

Type: CAA

Name: mydomain.com

Flags: issue

Tag: digicert.com

Value: 0 (and I also tried 1)

TTL: 1 Hour

 

I contacted GoDaddy support and they said this:

Ryan J. at 9:23, Sep 7:

As per checking with our team, I'm afraid this is something we dont have support as of yet.

Ryan J. at 9:24, Sep 7:

It looks like this has been raised already to our development team and currently looking to have more support on adding CAA.

Re: Add a Certification Authority Authorization (CAA) Record

Here's how to add a CAA record in GoDaddy DNS

From the domain manager, locate the domain you'd like to add a CAA record to and click the "DNS" button next to it. Once in the DNS editor, scroll down to "Add" and fill in the following:

 

  • Type: CAA
  • Name: @
  • Flags: 0
  • Tag: either issue, issuewild, or iodef
  • Value: your SSL provider, e.g. comodo.com OR mailto:youremail@example.com if using iodef
  • TTL: 1 hour

 

If you do not know which Tag and/or value to use, a good tool to use would be this CAA Record Generator.

Re: Add a Certification Authority Authorization (CAA) Record

An unexpected error occurred. If this issue continues, contact support.

 

 

Re: Add a Certification Authority Authorization (CAA) Record


@WolvTech wrote:

An unexpected error occurred. If this issue continues, contact support.

 

 


It still creates the CAA record.  If you refresh you will see it listed.  However if you use "@" for the name instead of yourdomainname.com then you will not get an error.  It is confusing, but it seems to correct the name issue for you.  It just throws an error also.

Re: Add a Certification Authority Authorization (CAA) Record

If there is already a CNAME with the same name as the CAA record you are trying to create, you must delete CNAME, add the CAA record, and add an A record to the IP that the CNAME was redirected to.  Not sure if this is by design or a workaround,.

Re: Add a Certification Authority Authorization (CAA) Record

What does the CAA tell the webmaster or IT admins exactly? I used to do a ton of html coding and am back to the site building and really liking WordPress, However I don’t really know where you go to get schooled on all of the new security standards & protocols from back in the early 2000s when I last designed a functional site with shopping cart & integrated inventory tracking software for a diamond broker out of NYC & Israel, but a lot has changed and I’m seeing many of you request the CAA be added to GoDaddy on these forums. Forgive my ignorance and rustiness with site building, but I guess I’m asking what it adds to a site & what it keeps out or in since it seems to be a security related issue?
Working on my new venture in E-Commerce as http://wearestairs.com which we are still building
Moderator
Moderator
Solution

Re: Add a Certification Authority Authorization (CAA) Record

As mentioned in previous replies, it is possible to add a CAA record through GoDaddy DNS.  Please check out the following article for instructions on how to add a CAA record: https://www.godaddy.com/help/add-a-caa-record-27288.