Server Fault Asked by Larry Silverman on November 24, 2021
CAA records were introduced to Azure DNS in November 2017.
Today, I attempted to add one to a new DNS zone I created in US East 2.
I used the cloud Powershell so I wouldn’t have to wrestle with AzureRM module version problems.
$records = @()
$records += New-AzureRmDnsRecordConfig -Caaflags 0 -CaaTag "issue" -CaaValue "issuernumberone.com"
$records += New-AzureRmDnsRecordConfig -Caaflags 0 -CaaTag "issue" -CaaValue "issuernumbertwo.org"
$records += New-AzureRmDnsRecordConfig -Caaflags 0 -CaaTag "iodef" -CaaValue "mailto:[email protected]"
New-AzureRmDnsRecordSet -Name "caa" -RecordType CAA -ZoneName mydomain.com -ResourceGroupName DNS-rg -Ttl 3600 -DnsRecords $records
Get-AzureRmDnsRecordSet -RecordType CAA -ZoneName mydomain.com -ResourceGroupName DNS-rg
The commands all worked flawlessly. I was able to create and save the recordset. I was able to retrieve the recordset.
But dig tells another story.
$ dig mydomain.com @ns1-03.azure-dns.com. CAA
; <<>> DiG 9.10.3-P4 <<>> mydomain.com @ns1-03.azure-dns.com. CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51663
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;mydomain.com. IN CAA
;; AUTHORITY SECTION:
mydomain.com. 300 IN SOA ns1-03.azure-dns.com. azuredns-hostmaster.microsoft.com. 1 3600 300 2419200 300
;; Query time: 39 msec
;; SERVER: 40.90.4.3#53(40.90.4.3)
;; WHEN: Fri Apr 06 16:29:56 Central Daylight Time 2018
;; MSG SIZE rcvd: 126
I have other DNS providers with working CAA records. These results are not correct. I also tried with “type257” instead of CAA.
Furthermore, the CAA record type does not appear in the Azure DNS portal blade.
CAA Record Support is available as of today for Custom Domains on Azure. These can be accessed via DNS Zone of that particular domain you want to add CAA record set to. I've not personally tried adding a valid CAA record but I can see it now.
If you want to verify the CAA record that you have added to a domain via DNS Zone, you can refer this step 4 of this blogpost that talks about Verifying CAA Record for DNS Zone
Answered by navule on November 24, 2021
My intention was to put a CAA record on the root domain. I misunderstood the purpose of the -name
parameter. I assumed it was just a label. I incorrectly set the -name
parameter to caa
. The correct usage would have been -name "@"
.
Answered by Larry Silverman on November 24, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP