neufuse Veteran Posted March 25, 2019 Veteran Share Posted March 25, 2019 (edited) Does anyone know how to set up a CAA record with network solutions as your DNS vendor? They don't have that specific field, so I'm limited to TXT fields (which they use for SPF and other types) do I just set up a record like this? (this is assuming network solutions is our Cert vendor) @ 3600 TXT "0 issue 0 issue \";\"" @ 3600 TXT "0 issuewild \"networksolutions.com\"" @ 3600 TXT "0 iodef \"mailto:recipient@mydomain.com\"" that would prevent CA's from issuing certs that aren't wildcards and not from network solutions with violations going to the specified email address Link to comment Share on other sites More sharing options...
+BudMan MVC Posted March 25, 2019 MVC Share Posted March 25, 2019 Pretty sure they have to support the record type.. Its not a TXT record its a CAA record.. Link to comment Share on other sites More sharing options...
neufuse Veteran Posted March 26, 2019 Author Veteran Share Posted March 26, 2019 (edited) 1 hour ago, BudMan said: Pretty sure they have to support the record type.. Its not a TXT record its a CAA record.. that's what I was thinking too but their support said they support it and CAA has to be entered as TXT on their site... but they wouldn't give any help on how exactly they expected that to be done... and found another site saying doing it that way also... so even though it made no sense thought, maybe? edit: just found another site saying the same thing ugh https://www.thesslstore.com/knowledgebase/caa-records/how-to-add-a-caa-record-on-network-solutions/ Link to comment Share on other sites More sharing options...
+BudMan MVC Posted March 26, 2019 MVC Share Posted March 26, 2019 Yeah that sounds like BS to me... But sure set it up and then do the query.. I have it set on domain I got to allow my friends and family hit my ombi request site run for my plex server hosted on my nas, running on a ubuntu vm. Also run dnssec, dns is just hosted on namecheap.. So sure go ahead and try it - and then query it or better yet test with https://www.ssllabs.com/index.html Why not just move to a DNS service that actually support current specs, dnssec, caa, etc. etc.. You doing dnssec - test that here http://dnsviz.net/ And then validate edns compliance here https://ednscomp.isc.org/ednscomp Network solutions is overpriced and WAY BEHIND the times!!! Link to comment Share on other sites More sharing options...
neufuse Veteran Posted March 26, 2019 Author Veteran Share Posted March 26, 2019 10 hours ago, BudMan said: Yeah that sounds like BS to me... But sure set it up and then do the query.. I have it set on domain I got to allow my friends and family hit my ombi request site run for my plex server hosted on my nas, running on a ubuntu vm. Also run dnssec, dns is just hosted on namecheap.. So sure go ahead and try it - and then query it or better yet test with https://www.ssllabs.com/index.html Why not just move to a DNS service that actually support current specs, dnssec, caa, etc. etc.. You doing dnssec - test that here http://dnsviz.net/ And then validate edns compliance here https://ednscomp.isc.org/ednscomp Network solutions is overpriced and WAY BEHIND the times!!! yeah, I've been trying to get the company to move off of NS for a while, but trying to get people in a corporate environment to move is a pain in the ass.... we do have DNSSEC just not the CAA record yet, might just go to HPKP if I can't get a move going... riskier to set up but at least mitigates most Man in the middle attacks Link to comment Share on other sites More sharing options...
+BudMan MVC Posted March 26, 2019 MVC Share Posted March 26, 2019 To be honest HPKP is deprecated, I wouldn't go there. https://ordina-jworks.github.io/security/2018/02/12/HPKP-deprecated-what-now.html https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#Browser_support_and_deprecation And yeah I know exactly how much of a PITA it can be to move the corp into current standards Try it when your the MSP, and your working with crap - but they don't want to hear it, and or your support was forced upon the LBU by the corp they are under, etc. So they don't like you anyway I assume your domain(s) are with NS, how about leaving them there and just moving your DNS to a DNS Provider? That supports current features.. Link to comment Share on other sites More sharing options...
neufuse Veteran Posted March 27, 2019 Author Veteran Share Posted March 27, 2019 13 hours ago, BudMan said: To be honest HPKP is deprecated, I wouldn't go there. https://ordina-jworks.github.io/security/2018/02/12/HPKP-deprecated-what-now.html https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#Browser_support_and_deprecation And yeah I know exactly how much of a PITA it can be to move the corp into current standards Try it when your the MSP, and your working with crap - but they don't want to hear it, and or your support was forced upon the LBU by the corp they are under, etc. So they don't like you anyway I assume your domain(s) are with NS, how about leaving them there and just moving your DNS to a DNS Provider? That supports current features.. yeah, I am looking at failover DNS providers already because of another project... so I'm probably going to use that as an excuse to get a better one... (we have multiple fiber lines, but no BGP so we want to have our public portal sites run on IP's on each ISP with round robin and failover when one ISP goes down) Link to comment Share on other sites More sharing options...
neufuse Veteran Posted March 27, 2019 Author Veteran Share Posted March 27, 2019 On 3/26/2019 at 8:18 AM, BudMan said: To be honest HPKP is deprecated, I wouldn't go there. https://ordina-jworks.github.io/security/2018/02/12/HPKP-deprecated-what-now.html https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#Browser_support_and_deprecation And yeah I know exactly how much of a PITA it can be to move the corp into current standards Try it when your the MSP, and your working with crap - but they don't want to hear it, and or your support was forced upon the LBU by the corp they are under, etc. So they don't like you anyway I assume your domain(s) are with NS, how about leaving them there and just moving your DNS to a DNS Provider? That supports current features.. and thanks for the HPKP depreciation links, our security consultant is pushing for us to implement this... but if Expect-CT is the new route have to push back on that now too Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 1, 2019 MVC Share Posted April 1, 2019 your security consultant pushing you for a deprecated standard? Yeah find a new guy would be my advice! And to be honest hpkp could be very dangerous to implement and you could really break your own domain, etc. Link to comment Share on other sites More sharing options...
neufuse Veteran Posted April 3, 2019 Author Veteran Share Posted April 3, 2019 well I just migrated us from NS to Azure DNS .. We already had an Azure tenant for other things so it made sense to use what we have... already 100X better then NS.... Link to comment Share on other sites More sharing options...
neufuse Veteran Posted April 3, 2019 Author Veteran Share Posted April 3, 2019 On 4/1/2019 at 2:21 PM, BudMan said: your security consultant pushing you for a deprecated standard? Yeah find a new guy would be my advice! And to be honest hpkp could be very dangerous to implement and you could really break your own domain, etc. to be fair some of the big names in security are still pushing HPKP for some reason too, Guess they are still a big scared of Expect-CT's implementation since it's newer? not sure Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 9, 2019 MVC Share Posted April 9, 2019 I don't show azure dns supporting dnssec? Not the best choice but yeah has to be way better than NS Link to comment Share on other sites More sharing options...
neufuse Veteran Posted April 9, 2019 Author Veteran Share Posted April 9, 2019 (edited) 38 minutes ago, BudMan said: I don't show azure dns supporting dnssec? Not the best choice but yeah has to be way better than NS yeah, it's just a temporary move from NS since we already have a tenant until we have time to do an assessment on other providers I do find it odd a large provider like Azure doesn't support DNSSEC yet but it's on their list of coming features Edited April 9, 2019 by neufuse Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 9, 2019 MVC Share Posted April 9, 2019 I am disappointed by many of these major players dns support both azure and aws... Think they are more concerned with how to increase the number of queries to up their bills then anything else You can check out https://dyn.com/ or https://ns1.com/ They should have everything you could need with dns. Link to comment Share on other sites More sharing options...
Paul2018 Posted May 20, 2019 Share Posted May 20, 2019 On 3/26/2019 at 12:26 AM, neufuse said: Does anyone know how to set up a CAA record with network solutions as your DNS vendor? They don't have that specific field, so I'm limited to TXT fields (which they use for SPF and other types) do I just set up a record like this? (this is assuming network solutions is our Cert vendor) @ 3600 TXT "0 issue 0 issue \";\"" @ 3600 TXT "0 issuewild \"networksolutions.com\"" @ 3600 TXT "0 iodef \"mailto:recipient@mydomain.com\"" If the Cert vendor is LetsEncrypt, would the text record only be like below?? @ 3600 TXT "0 issue "letsencrypt.org"" Link to comment Share on other sites More sharing options...
+BudMan MVC Posted May 20, 2019 MVC Share Posted May 20, 2019 TXT record is not a CAA record.. Those instructions found for network solutions are just nonsense. The OP never came back if he had tested them or not - but I would be willing to be some serious coin that just nonsense.. CAA is a specific type or RR, its not just a TXT record.. Now could they have done something really wonky where if a CAA is looked for they return a TXT.. I guess but I highly doubt it Those instructions are not actually on network solutions support site - some 3rd party site with just nonsense instructions if you ask me. Paul2018 1 Share Link to comment Share on other sites More sharing options...
neufuse Veteran Posted May 22, 2019 Author Veteran Share Posted May 22, 2019 (edited) On 5/20/2019 at 5:42 AM, BudMan said: TXT record is not a CAA record.. Those instructions found for network solutions are just nonsense. The OP never came back if he had tested them or not - but I would be willing to be some serious coin that just nonsense.. CAA is a specific type or RR, its not just a TXT record.. Now could they have done something really wonky where if a CAA is looked for they return a TXT.. I guess but I highly doubt it Those instructions are not actually on network solutions support site - some 3rd party site with just nonsense instructions if you ask me. yeah the TXT records are just junk I don't know why all these sites have them as valid instructions... Need to have a specific record type of CAA or a TYPE 257 record type, 257 is done a little bit different then a straight out CAA record Link to comment Share on other sites More sharing options...
+BudMan MVC Posted May 26, 2019 MVC Share Posted May 26, 2019 I don't believe its "sites" - its just the 1 site I see with those junk instructions. If you need/want to setup a CAA record, then you need to get with who is providing dns for your domain on how to do it (if possible).. If they do not have a simple CAA record feature in their dns management system you have access too. Thinking that some 3rd party site is going to provide you instructions on how to do something when the actual host of your dns does not provide the instructions themselves is highly unlikely! I take it the instructions were done on purpose to try and get unsuspecting people into buying ssl from them? Or just written by someone that doesn't have a clue, and was "trying" to be helpful... The shame is that its like the first google hit for caa on network solutions.. example - I recently moved one of my domains dns to be on cloudflare.. Here is where you can create CAA records on their system Here is on namecheap for example Link to comment Share on other sites More sharing options...
Recommended Posts