CAA_BUILDER

CAA_BUILDER adds a Certification Authority Authorization record to a domain.

CAA_BUILDER eases the creation of CAA records. Instead of creating each CAA record individually, you can simply configure your report mail address, the authorized certificate authorities and the builder cares about the rest.

Example

Simple example

dnsconfig.js

D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
  CAA_BUILDER({
    label: "@",
    iodef: "mailto:[email protected]",
    iodef_critical: true,
    issue: [
      "letsencrypt.org",
      "comodoca.com",
    ],
    issuewild: "none",
  }),
);

CAA_BUILDER builds multiple records:

dnsconfig.js

D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
  CAA("@", "iodef", "mailto:[email protected]", CAA_CRITICAL),
  CAA("@", "issue", "letsencrypt.org"),
  CAA("@", "issue", "comodoca.com"),
  CAA("@", "issuewild", ";"),
);

which in turns yield the following records:

@ 300 IN CAA 128 iodef "mailto:[email protected]"
@ 300 IN CAA 0 issue "letsencrypt.org"
@ 300 IN CAA 0 issue "comodoca.com"
@ 300 IN CAA 0 issuewild ";"

Example with CAA_CRITICAL flag on all records

The same example can be enriched with CAA_CRITICAL on all records:

dnsconfig.js

D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
  CAA_BUILDER({
    label: "@",
    iodef: "mailto:[email protected]",
    iodef_critical: true,
    issue: [
      "letsencrypt.org",
      "comodoca.com",
    ],
    issue_critical: true,
    issuewild: "none",
    issuewild_critical: true,
  }),
);

CAA_BUILDER then builds (the same) multiple records - all with CAA_CRITICAL flag set:

dnsconfig.js

D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
  CAA("@", "iodef", "mailto:[email protected]", CAA_CRITICAL),
  CAA("@", "issue", "letsencrypt.org", CAA_CRITICAL),
  CAA("@", "issue", "comodoca.com", CAA_CRITICAL),
  CAA("@", "issuewild", ";", CAA_CRITICAL),
);

which in turns yield the following records:

@ 300 IN CAA 128 iodef "mailto:[email protected]"
@ 300 IN CAA 128 issue "letsencrypt.org"
@ 300 IN CAA 128 issue "comodoca.com"
@ 300 IN CAA 128 issuewild ";"

Parameters

label: The label of the CAA record. (Optional. Default: "@")
iodef: Report all violation to configured mail address.
iodef_critical: This can be true or false. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: false)
issue: An array of CAs which are allowed to issue certificates. (Use "none" to refuse all CAs)
issue_critical: This can be true or false. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: false)
issuewild: An array of CAs which are allowed to issue wildcard certificates. (Can be simply "none" to refuse issuing wildcard certificates for all CAs)
issuewild_critical: This can be true or false. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: false)
issuevmc: An array of CAs which are allowed to issue VMC certificates. (Use "none" to refuse all CAs)
issuevmc_critical: This can be true or false. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: false)
issuemail: An array of CAs which are allowed to issue email certificates. (Use "none" to refuse all CAs)
issuemail_critical: This can be true or false. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: false)
ttl: Input for TTL method (optional)

PreviousCAA NextCNAME

Last updated 6 hours ago

hashtagExample

hashtagSimple example

hashtagExample with CAA_CRITICAL flag on all records

hashtagParameters

Example

Simple example

Example with CAA_CRITICAL flag on all records

Parameters