Adding CAA records to Azure DNS

16 November 2017 Microsoft introduced CAA records for the Azure Public DNS. At this moment you can only add CAA records to Azure DNS using the Azure REST API, PowerShell or CLI. This example code will help you in adding CAA records to Azure DNS.

In this video I will add CAA records to a new DNS Zone using the Azure Cloud Shell:

(CAA) Certificate Authority Authorization

Domain owners can whitelist CAs allowing specified CAs to issue SSL certificates.

CAA will prevent malicious certificates being issued for your domains. You can provide a email address, CAs will notify the specified email address if a violation is detected. As a domain owner to advertise your whitelist you’ll have to add a few new DNS records to your DNS configuration.

CAA checking for CAs is Mandatory!

CAs have to check for CAA records starting 8 September 2017.

Source: https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/

CAs are permitted to treat a record lookup failure as permission to issue if:

  • the failure is outside the CA’s infrastructure;
  • the lookup has been retried at least once; and
  • the domain’s zone does not have a DNSSEC validation chain to the ICANN root.

Source: https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/

Unfortunately, Azure DNS does not have DNSSEC support yet.

 

You can generate your valid CAA recordset using this great tool: https://sslmate.com/caa/.

To verify your CAA records, you can use DNSspy.io.
To check your SSL  implementation I suggest using SSLlabs.

Leave a Reply

Your email address will not be published. Required fields are marked *