Nameservers using bind-dyndb-ldap should have support for CAA resource records.
CAA
This record type is standardized in RFC 6844 (obsoleted) and RFC 8659 (https://tools.ietf.org/html/rfc8659).
There is also an issue on the FreeIPA project for this feature: https://pagure.io/freeipa/issue/7392
The CAA record controls, which certificate authorities are allowed to issue certificates for a domain. All publicly trusted CAs have to respect the CAA record of a domain.
In my understanding of this project's code, this feature requires the following changes:
CAARecord
idnsRecord
Yes, this has to be done on two sides. IPA schema needs to be extended, ACIs need to be extended as well, to allow CAARecord modification. Finally, bind-dyndb-ldap needs to learn how to translate LDAP attribe into bind's internal record type.
I have WIP branch for FreeIPA: https://github.com/abbra/freeipa/commits/caa-record-support It just adds ability to set CAA record through IPA CLI but doesn't handle any validation for known CAA tags yet aside from ensuring the tag name is constructed out of [a-z0-9] characters.
Log in to comment on this ticket.