Bug 1413073 - Missing support for "CAA" DNS RR according to RFC 6844 (only RFC 3597 syntax supported)
Summary: Missing support for "CAA" DNS RR according to RFC 6844 (only RFC 3597 syntax ...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: bind
Version: 7.3
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Petr Menšík
QA Contact: qe-baseos-daemons
Depends On:
TreeView+ depends on / blocked
Reported: 2017-01-13 14:39 UTC by Robert Scheck
Modified: 2020-03-11 15:35 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-02-14 17:17:52 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Robert Scheck 2017-01-13 14:39:07 UTC
Description of problem:
Adding DNS records for DNS Certification Authority Authorization (CAA) as
specified in RFC 6844 to a zone file in BIND does not work, because BIND is
not aware about the RRs in version 9.9.4:

redhat.com.	CAA	0 issue "symantec.com"
redhat.com.	CAA	0 issuewild "digicert.com"

Instead you need to specify them according to the RFC 3597 syntax:

redhat.com.	TYPE257	\# 19 0005697373756573796D616E7465632E636F6D
redhat.com.	TYPE257	\# 23 0009697373756577696C6464696769636572742E636F6D

Version-Release number of selected component (if applicable):

How reproducible:
Everytime, see above.

Actual results:
No support for "CAA" DNS RR (only RFC 3597 syntax supported)

Expected results:
Please backport "CAA" DNS RR support from BIND 9.9.6, rebase to BIND 9.9.6,
or any better of course.

Comment 1 Robert Scheck 2017-01-13 14:40:47 UTC
Cross-filed case 01772732 on the Red Hat customer portal.

Comment 3 Petr Menšík 2017-02-13 10:46:06 UTC
This issue seems to already be fixed in bug #1306610, which is already fixed. See

Is there something missing?

Comment 4 Robert Scheck 2017-02-14 10:17:43 UTC
Unfortunately bug #1306610 is not publically accessible, but it seems you
are right, CAA records seem to work at all places as they should. So let's
close this, please.

Note You need to log in before you can comment on or make changes to this bug.