• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0
Sign in to follow this  

DNS CAA record on Network solutions

Question

neufuse    3,551
Posted (edited)

Does anyone know how to set up a CAA record with network solutions as your DNS vendor? They don't have that specific field, so I'm limited to TXT fields (which they use for SPF and other types)

 

do I just set up a record like this? (this is assuming network solutions is our Cert vendor)

 

@ 3600  TXT "0 issue 0 issue \";\""

@ 3600  TXT "0 issuewild \"networksolutions.com\""

@ 3600 TXT  "0 iodef \"mailto:recipient@mydomain.com\""

 

that would prevent CA's from issuing certs that aren't wildcards and not from network solutions with violations going to the specified email address

Share this post


Link to post
Share on other sites

17 answers to this question

Recommended Posts

  • 0
+BudMan    3,395

Yeah that sounds like BS to me... But sure set it up and then do the query..

 

I have it set on domain I got to allow my friends and family hit my ombi request site run for my plex server hosted on my nas, running on a ubuntu vm.

caa.thumb.png.99aef49ea18704797a5c540748f93053.png

 

Also run dnssec, dns is just hosted on namecheap..

 

So sure go ahead and try it - and then query it or better yet test with https://www.ssllabs.com/index.html

 

CAAtest.thumb.png.a52168c2e0f59d9387f72e24d4ebd2f0.png

 

Why not just move to a DNS service that actually support current specs, dnssec, caa, etc. etc..

 

You doing dnssec - test that here

http://dnsviz.net/

And then validate edns compliance here

https://ednscomp.isc.org/ednscomp

 

Network solutions is overpriced and WAY BEHIND the times!!!

 

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,395

Pretty sure they have to support the record type..  Its not a TXT record its a CAA record..

Share this post


Link to post
Share on other sites
  • 0
neufuse    3,551
Posted (edited)
1 hour ago, BudMan said:

Pretty sure they have to support the record type..  Its not a TXT record its a CAA record..

that's what I was thinking too but their support said they support it and CAA has to be entered as  TXT on their site... but they wouldn't give any help on how exactly they expected that to be done... and found another site saying doing it that way also... so even though it made no sense thought, maybe?

 

edit:

just found another site saying the same thing ugh

 

https://www.thesslstore.com/knowledgebase/caa-records/how-to-add-a-caa-record-on-network-solutions/

Share this post


Link to post
Share on other sites
  • 0
neufuse    3,551
10 hours ago, BudMan said:

Yeah that sounds like BS to me... But sure set it up and then do the query..

 

I have it set on domain I got to allow my friends and family hit my ombi request site run for my plex server hosted on my nas, running on a ubuntu vm.

caa.thumb.png.99aef49ea18704797a5c540748f93053.png

 

Also run dnssec, dns is just hosted on namecheap..

 

So sure go ahead and try it - and then query it or better yet test with https://www.ssllabs.com/index.html

 

CAAtest.thumb.png.a52168c2e0f59d9387f72e24d4ebd2f0.png

 

Why not just move to a DNS service that actually support current specs, dnssec, caa, etc. etc..

 

You doing dnssec - test that here

http://dnsviz.net/

And then validate edns compliance here

https://ednscomp.isc.org/ednscomp

 

Network solutions is overpriced and WAY BEHIND the times!!!

 

yeah, I've been trying to get the company to move off of NS for a while, but trying to get people in a corporate environment to move is a pain in the ass....

 

we do have DNSSEC just not the CAA record yet, might just go to HPKP if I can't get a move going... riskier to set up but at least mitigates most Man in the middle attacks

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,395

To be honest HPKP is deprecated, I wouldn't go there.

https://ordina-jworks.github.io/security/2018/02/12/HPKP-deprecated-what-now.html

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#Browser_support_and_deprecation

 

And yeah I know exactly how much of a PITA it can be to move the corp into current standards ;)  Try it when your the MSP, and your working with crap - but they don't want to hear it, and or your support was forced upon the LBU by the corp they are under, etc.  So they don't like you anyway ;)

 

I assume your domain(s) are with NS, how about leaving them there and just moving your DNS to a DNS Provider?  That supports current features..

Share this post


Link to post
Share on other sites
  • 0
neufuse    3,551
13 hours ago, BudMan said:

To be honest HPKP is deprecated, I wouldn't go there.

https://ordina-jworks.github.io/security/2018/02/12/HPKP-deprecated-what-now.html

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#Browser_support_and_deprecation

 

And yeah I know exactly how much of a PITA it can be to move the corp into current standards ;)  Try it when your the MSP, and your working with crap - but they don't want to hear it, and or your support was forced upon the LBU by the corp they are under, etc.  So they don't like you anyway ;)

 

I assume your domain(s) are with NS, how about leaving them there and just moving your DNS to a DNS Provider?  That supports current features..

yeah, I am looking at failover DNS providers already because of another project... so I'm probably going to use that as an excuse to get a better one... (we have multiple fiber lines, but no BGP so we want to have our public portal sites run on IP's on each ISP with round robin and failover when one ISP goes down)

Share this post


Link to post
Share on other sites
  • 0
neufuse    3,551
On 3/26/2019 at 8:18 AM, BudMan said:

To be honest HPKP is deprecated, I wouldn't go there.

https://ordina-jworks.github.io/security/2018/02/12/HPKP-deprecated-what-now.html

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#Browser_support_and_deprecation

 

And yeah I know exactly how much of a PITA it can be to move the corp into current standards ;)  Try it when your the MSP, and your working with crap - but they don't want to hear it, and or your support was forced upon the LBU by the corp they are under, etc.  So they don't like you anyway ;)

 

I assume your domain(s) are with NS, how about leaving them there and just moving your DNS to a DNS Provider?  That supports current features..

and thanks for the HPKP depreciation links, our security consultant is pushing for us to implement this... but if Expect-CT is the new route have to push back on that now too

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,395

your security consultant pushing you for a deprecated standard?  Yeah find a new guy would be my advice!

 

And to be honest hpkp could be very dangerous to implement and you could really break your own domain, etc.

Share this post


Link to post
Share on other sites
  • 0
neufuse    3,551

well I just migrated us from NS to Azure DNS .. We already had an Azure tenant for other things so it made sense to use what we have... already 100X better then NS....

Share this post


Link to post
Share on other sites
  • 0
neufuse    3,551
On 4/1/2019 at 2:21 PM, BudMan said:

your security consultant pushing you for a deprecated standard?  Yeah find a new guy would be my advice!

 

And to be honest hpkp could be very dangerous to implement and you could really break your own domain, etc.

to be fair some of the big names in security are still pushing HPKP for some reason too, Guess they are still a big scared of Expect-CT's implementation since it's newer? not sure

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,395

I don't show azure dns supporting dnssec?  Not the best choice but yeah has to be way better than NS

Share this post


Link to post
Share on other sites
  • 0
neufuse    3,551
Posted (edited)
38 minutes ago, BudMan said:

I don't show azure dns supporting dnssec?  Not the best choice but yeah has to be way better than NS

yeah, it's just a temporary move from NS since we already have a tenant until we have time to do an assessment on other providers

 

I do find it odd a large provider like Azure doesn't support DNSSEC yet but it's on their list of coming features

Edited by neufuse

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,395

I am disappointed by many of these major players dns support both azure and aws... Think they are more concerned with how to increase the number of queries to up their bills then anything else ;)

 

You can check out https://dyn.com/

or https://ns1.com/

 

They should have everything you could need with dns.

Share this post


Link to post
Share on other sites
  • 0
Paul2018    0
On 3/26/2019 at 12:26 AM, neufuse said:

Does anyone know how to set up a CAA record with network solutions as your DNS vendor? They don't have that specific field, so I'm limited to TXT fields (which they use for SPF and other types)

 

do I just set up a record like this? (this is assuming network solutions is our Cert vendor)

 

@ 3600  TXT "0 issue 0 issue \";\""

@ 3600  TXT "0 issuewild \"networksolutions.com\""

@ 3600 TXT  "0 iodef \"mailto:recipient@mydomain.com\""

 

If the Cert vendor is LetsEncrypt, would the text record only be like below??
 

@ 3600  TXT "0 issue "letsencrypt.org""

 

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,395

TXT record is not a CAA record..

 

Those instructions found for network solutions are just nonsense.

 

The OP never came back if he had tested them or not - but I would be willing to be some serious coin that just nonsense.. CAA is a specific type or RR, its not just a TXT record.. Now could they have done something really wonky where if a CAA is looked for they return a TXT.. I guess but I highly doubt it

 

Those instructions are not actually on network solutions support site - some 3rd party site with just nonsense instructions if you ask me.

 

 

  • Thanks 1

Share this post


Link to post
Share on other sites
  • 0
neufuse    3,551
Posted (edited)
On 5/20/2019 at 5:42 AM, BudMan said:

TXT record is not a CAA record..

 

Those instructions found for network solutions are just nonsense.

 

The OP never came back if he had tested them or not - but I would be willing to be some serious coin that just nonsense.. CAA is a specific type or RR, its not just a TXT record.. Now could they have done something really wonky where if a CAA is looked for they return a TXT.. I guess but I highly doubt it

 

Those instructions are not actually on network solutions support site - some 3rd party site with just nonsense instructions if you ask me.

 

 

yeah the TXT records are just junk I don't know why all these sites have them as valid instructions... Need to have a specific record type of CAA or a TYPE 257 record type, 257 is done a little bit different then a straight out CAA record

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,395

I don't believe its "sites" - its just the 1 site I see with those junk instructions.

 

If you need/want to setup a CAA record, then you need to get with who is providing dns for your domain on how to do it (if possible).. If they do not have a simple CAA record feature in their dns management system you have access too.

 

Thinking that some 3rd party site is going to provide you instructions on how to do something when the actual host of your dns does not provide the instructions themselves is highly unlikely!

 

I take it the instructions were done on purpose to try and get unsuspecting people into buying ssl from them?  Or just written by someone that doesn't have a clue, and was "trying" to be helpful... The shame is that its like the first google hit for caa on network solutions..

 

example - I recently moved one of my domains dns to be on cloudflare.. Here is where you can create CAA records on their system

example.thumb.png.f80ec3d5177484c12dbde69bdd257beb.png

 

Here is on namecheap for example

namecheap.thumb.png.d3d2fc6da32b2a70a78c301d2e0a2143.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.