Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1541628
Description of problem: Certification Authority Authorization (CAA) DNS Resource Record are a way to strengthen PKI. It gives control over what CA is allowed to issue certs for a particular domain Version-Release number of selected component (if applicable): 4.5 (and upstream 4.6.3) How reproducible: Always Steps to Reproduce: 1. ipa dnsrecord-add --help and not seeing an option to add CAA RR Type 2. 3. Actual results: ipa dnsrecord-add --help|grep CAA && echo "Parameter available" || echo "Parameter not available" Parameter not available Expected results: ipa dnsrecord-add --help|grep CAA && echo "Parameter available" || echo "Parameter not available" Parameter available Additional info: Please also see https://tools.ietf.org/html/rfc6844 and https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization The ISC Bind version delivered with RHEL7 (9.9.4) does currently not support CAA, it was intruduced with the version 9.10.1B, see https://www.isc.org/blogs/certificate-authority-authorization-records/
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1541628
Closed https://pagure.io/freeipa/issue/7802 as a duplicate
From 7802: CAA is defined in https://tools.ietf.org/html/rfc6844 . bind-dyndns-ldap doesn't support CAA records yet. The LDAP attribute definition should look like this:
attributeTypes: ( 1.3.6.1.4.1.2428.20.1.257 NAME 'CAARecord' DESC 'Certification Authority Restriction, RFC 6844' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch )
WIP branch: https://github.com/abbra/freeipa/commits/caa-record-support
Login to comment on this ticket.