DNS CAA record on Network solutions

24,367 · March 25, 2019

Does anyone know how to set up a CAA record with network solutions as your DNS vendor? They don't have that specific field, so I'm limited to TXT fields (which they use for SPF and other types)

do I just set up a record like this? (this is assuming network solutions is our Cert vendor)

@ 3600 TXT "0 issue 0 issue \";\""

@ 3600 TXT "0 issuewild \"networksolutions.com\""

@ 3600 TXT "0 iodef \"mailto:recipient@mydomain.com\""

that would prevent CA's from issuing certs that aren't wildcards and not from network solutions with violations going to the specified email address

31,906 · March 25, 2019

Pretty sure they have to support the record type.. Its not a TXT record its a CAA record..

24,367 · March 26, 2019

1 hour ago, BudMan said:

Pretty sure they have to support the record type.. Its not a TXT record its a CAA record..

that's what I was thinking too but their support said they support it and CAA has to be entered as TXT on their site... but they wouldn't give any help on how exactly they expected that to be done... and found another site saying doing it that way also... so even though it made no sense thought, maybe?

edit:

just found another site saying the same thing ugh

https://www.thesslstore.com/knowledgebase/caa-records/how-to-add-a-caa-record-on-network-solutions/

31,906 · March 26, 2019

Yeah that sounds like BS to me... But sure set it up and then do the query..

I have it set on domain I got to allow my friends and family hit my ombi request site run for my plex server hosted on my nas, running on a ubuntu vm.

Also run dnssec, dns is just hosted on namecheap..

So sure go ahead and try it - and then query it or better yet test with https://www.ssllabs.com/index.html

Why not just move to a DNS service that actually support current specs, dnssec, caa, etc. etc..

You doing dnssec - test that here

http://dnsviz.net/

And then validate edns compliance here

https://ednscomp.isc.org/ednscomp

Network solutions is overpriced and WAY BEHIND the times!!!

24,367 · March 26, 2019

10 hours ago, BudMan said:

Yeah that sounds like BS to me... But sure set it up and then do the query..

I have it set on domain I got to allow my friends and family hit my ombi request site run for my plex server hosted on my nas, running on a ubuntu vm.

Also run dnssec, dns is just hosted on namecheap..

So sure go ahead and try it - and then query it or better yet test with https://www.ssllabs.com/index.html

Why not just move to a DNS service that actually support current specs, dnssec, caa, etc. etc..

You doing dnssec - test that here

http://dnsviz.net/

And then validate edns compliance here

https://ednscomp.isc.org/ednscomp

Network solutions is overpriced and WAY BEHIND the times!!!

yeah, I've been trying to get the company to move off of NS for a while, but trying to get people in a corporate environment to move is a pain in the ass....

we do have DNSSEC just not the CAA record yet, might just go to HPKP if I can't get a move going... riskier to set up but at least mitigates most Man in the middle attacks

31,906 · March 26, 2019

To be honest HPKP is deprecated, I wouldn't go there.

https://ordina-jworks.github.io/security/2018/02/12/HPKP-deprecated-what-now.html

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#Browser_support_and_deprecation

And yeah I know exactly how much of a PITA it can be to move the corp into current standards Try it when your the MSP, and your working with crap - but they don't want to hear it, and or your support was forced upon the LBU by the corp they are under, etc. So they don't like you anyway

I assume your domain(s) are with NS, how about leaving them there and just moving your DNS to a DNS Provider? That supports current features..

24,367 · March 27, 2019

13 hours ago, BudMan said:

To be honest HPKP is deprecated, I wouldn't go there.

https://ordina-jworks.github.io/security/2018/02/12/HPKP-deprecated-what-now.html

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#Browser_support_and_deprecation

And yeah I know exactly how much of a PITA it can be to move the corp into current standards Try it when your the MSP, and your working with crap - but they don't want to hear it, and or your support was forced upon the LBU by the corp they are under, etc. So they don't like you anyway

I assume your domain(s) are with NS, how about leaving them there and just moving your DNS to a DNS Provider? That supports current features..

yeah, I am looking at failover DNS providers already because of another project... so I'm probably going to use that as an excuse to get a better one... (we have multiple fiber lines, but no BGP so we want to have our public portal sites run on IP's on each ISP with round robin and failover when one ISP goes down)

24,367 · March 27, 2019

On 3/26/2019 at 8:18 AM, BudMan said:

To be honest HPKP is deprecated, I wouldn't go there.

https://ordina-jworks.github.io/security/2018/02/12/HPKP-deprecated-what-now.html

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning#Browser_support_and_deprecation

And yeah I know exactly how much of a PITA it can be to move the corp into current standards Try it when your the MSP, and your working with crap - but they don't want to hear it, and or your support was forced upon the LBU by the corp they are under, etc. So they don't like you anyway

I assume your domain(s) are with NS, how about leaving them there and just moving your DNS to a DNS Provider? That supports current features..

and thanks for the HPKP depreciation links, our security consultant is pushing for us to implement this... but if Expect-CT is the new route have to push back on that now too

31,906 · April 1, 2019

your security consultant pushing you for a deprecated standard? Yeah find a new guy would be my advice!

And to be honest hpkp could be very dangerous to implement and you could really break your own domain, etc.

24,367 · April 3, 2019

well I just migrated us from NS to Azure DNS .. We already had an Azure tenant for other things so it made sense to use what we have... already 100X better then NS....

24,367 · April 3, 2019

On 4/1/2019 at 2:21 PM, BudMan said:

your security consultant pushing you for a deprecated standard? Yeah find a new guy would be my advice!

And to be honest hpkp could be very dangerous to implement and you could really break your own domain, etc.

to be fair some of the big names in security are still pushing HPKP for some reason too, Guess they are still a big scared of Expect-CT's implementation since it's newer? not sure

31,906 · April 9, 2019

I don't show azure dns supporting dnssec? Not the best choice but yeah has to be way better than NS

24,367 · April 9, 2019

38 minutes ago, BudMan said:

I don't show azure dns supporting dnssec? Not the best choice but yeah has to be way better than NS

yeah, it's just a temporary move from NS since we already have a tenant until we have time to do an assessment on other providers

I do find it odd a large provider like Azure doesn't support DNSSEC yet but it's on their list of coming features

Edited April 9, 2019 by neufuse

31,906 · April 9, 2019

I am disappointed by many of these major players dns support both azure and aws... Think they are more concerned with how to increase the number of queries to up their bills then anything else

You can check out https://dyn.com/

or https://ns1.com/

They should have everything you could need with dns.

May 20, 2019

On 3/26/2019 at 12:26 AM, neufuse said:

Does anyone know how to set up a CAA record with network solutions as your DNS vendor? They don't have that specific field, so I'm limited to TXT fields (which they use for SPF and other types)

do I just set up a record like this? (this is assuming network solutions is our Cert vendor)

@ 3600 TXT "0 issue 0 issue \";\""

@ 3600 TXT "0 issuewild \"networksolutions.com\""

@ 3600 TXT "0 iodef \"mailto:recipient@mydomain.com\""

If the Cert vendor is LetsEncrypt, would the text record only be like below??

@ 3600 TXT "0 issue "letsencrypt.org""

31,906 · May 20, 2019

TXT record is not a CAA record..

Those instructions found for network solutions are just nonsense.

The OP never came back if he had tested them or not - but I would be willing to be some serious coin that just nonsense.. CAA is a specific type or RR, its not just a TXT record.. Now could they have done something really wonky where if a CAA is looked for they return a TXT.. I guess but I highly doubt it

Those instructions are not actually on network solutions support site - some 3rd party site with just nonsense instructions if you ask me.

24,367 · May 22, 2019

On 5/20/2019 at 5:42 AM, BudMan said:

TXT record is not a CAA record..

Those instructions found for network solutions are just nonsense.

The OP never came back if he had tested them or not - but I would be willing to be some serious coin that just nonsense.. CAA is a specific type or RR, its not just a TXT record.. Now could they have done something really wonky where if a CAA is looked for they return a TXT.. I guess but I highly doubt it

Those instructions are not actually on network solutions support site - some 3rd party site with just nonsense instructions if you ask me.

yeah the TXT records are just junk I don't know why all these sites have them as valid instructions... Need to have a specific record type of CAA or a TYPE 257 record type, 257 is done a little bit different then a straight out CAA record

31,906 · May 26, 2019

I don't believe its "sites" - its just the 1 site I see with those junk instructions.

If you need/want to setup a CAA record, then you need to get with who is providing dns for your domain on how to do it (if possible).. If they do not have a simple CAA record feature in their dns management system you have access too.

Thinking that some 3rd party site is going to provide you instructions on how to do something when the actual host of your dns does not provide the instructions themselves is highly unlikely!

I take it the instructions were done on purpose to try and get unsuspecting people into buying ssl from them? Or just written by someone that doesn't have a clue, and was "trying" to be helpful... The shame is that its like the first google hit for caa on network solutions..

example - I recently moved one of my domains dns to be on cloudflare.. Here is where you can create CAA records on their system

Here is on namecheap for example

Sign In

DNS CAA record on Network solutions

Recommended Posts

neufuse Veteran

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

neufuse Veteran

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

neufuse Veteran

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

neufuse Veteran

Link to comment

Share on other sites

neufuse Veteran

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

neufuse Veteran

Link to comment

Share on other sites

neufuse Veteran

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

neufuse Veteran

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

Paul2018

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

neufuse Veteran

Link to comment

Share on other sites

+BudMan MVC

Link to comment

Share on other sites

Recently Browsing 0 members