🚀
DNSControl
🚀
DNSControl
  • Introduction to DNSControl
  • Getting Started
    • Overview
    • Examples
    • Migrating zones to DNSControl
    • TypeScript autocomplete and type checking
  • Language Reference
    • JavaScript DSL
    • Top Level Functions
      • D
      • DEFAULTS
      • DOMAIN_ELSEWHERE
      • DOMAIN_ELSEWHERE_AUTO
      • D_EXTEND
      • FETCH
      • HASH
      • IP
      • NewDnsProvider
      • NewRegistrar
      • PANIC
      • REV
      • REVCOMPAT
      • getConfiguredDomains
      • require
      • require_glob
    • Domain Modifiers
      • A
      • AAAA
      • ALIAS
      • AUTODNSSEC_OFF
      • AUTODNSSEC_ON
      • CAA
      • CAA_BUILDER
      • CNAME
      • DHCID
      • DNAME
      • DNSKEY
      • DISABLE_IGNORE_SAFETY_CHECK
      • DMARC_BUILDER
      • DS
      • DefaultTTL
      • DnsProvider
      • FRAME
      • HTTPS
      • IGNORE
      • IGNORE_NAME
      • IGNORE_TARGET
      • IMPORT_TRANSFORM
      • IMPORT_TRANSFORM_STRIP
      • INCLUDE
      • LOC
      • LOC_BUILDER_DD
      • LOC_BUILDER_DMM_STR
      • LOC_BUILDER_DMS_STR
      • LOC_BUILDER_STR
      • M365_BUILDER
      • MX
      • NAMESERVER
      • NAMESERVER_TTL
      • NAPTR
      • NO_PURGE
      • NS
      • PTR
      • PURGE
      • SOA
      • SPF_BUILDER
      • SRV
      • SSHFP
      • SVCB
      • TLSA
      • TXT
      • URL
      • URL301
      • Service Provider specific
        • Akamai Edge Dns
          • AKAMAICDN
        • Amazon Route 53
          • R53_ALIAS
        • Azure DNS
          • AZURE_ALIAS
        • Cloudflare DNS
          • CF_REDIRECT
          • CF_SINGLE_REDIRECT
          • CF_TEMP_REDIRECT
          • CF_WORKER_ROUTE
        • ClouDNS
          • CLOUDNS_WR
    • Record Modifiers
      • TTL
      • Service Provider specific
        • Amazon Route 53
          • R53_ZONE
          • R53_EVALUATE_TARGET_HEALTH
    • Why CNAME/MX/NS targets require a "dot"
  • Provider
    • Supported providers
    • Akamai Edge DNS
    • Amazon Route 53
    • AutoDNS
    • AXFR+DDNS
    • Azure DNS
    • Azure Private DNS
    • BIND
    • Bunny DNS
    • CentralNic Reseller (CNR) - formerly RRPProxy
    • Cloudflare
    • ClouDNS
    • CSC Global
    • deSEC
    • DigitalOcean
    • DNS Made Easy
    • DNSimple
    • DNS-over-HTTPS
    • DOMAINNAMESHOP
    • Dynadot
    • easyname
    • Exoscale
    • Gandi_v5
    • Gcore
    • Google Cloud DNS
    • Hetzner DNS Console
    • HEXONET
    • hosting.de
    • Huawei Cloud DNS
    • Hurricane Electric DNS
    • Internet.bs
    • INWX
    • Linode
    • Loopia
    • LuaDNS
    • Microsoft DNS Server on Microsoft Windows Server
    • Mythic Beasts
    • Namecheap
    • Name.com
    • Netcup
    • Netlify
    • NS1
    • OpenSRS
    • Oracle Cloud
    • OVH
    • Packetframe
    • Porkbun
    • PowerDNS
    • Realtime Register
    • RWTH DNS-Admin
    • Sakura Cloud
    • SoftLayer DNS
    • TransIP
    • Vultr
  • Commands
    • preview/push
    • check-creds
    • get-zones
    • get-certs
    • fmt
    • creds.json
    • Global Flag
    • Disabling Colors
  • Advanced features
    • CI/CD example for GitLab
    • CLI variables
    • Nameservers and Delegations
    • Notifications
    • Useful code tricks
    • JSON Reports
  • Developer info
    • Code Style Guide
    • Documentation Style Guide
    • DNSControl is an opinionated system
    • Writing new DNS providers
    • Creating new DNS Resource Types (rtypes)
    • Integration Tests
    • Test a branch
    • Unit Testing DNS Data
    • Bug Triage Process
    • Bring-Your-Own-Secrets for automated testing
    • Debugging with dlv
    • ALIAS Records
    • TXT record testing
    • DNS records ordering
  • Release
    • How to build and ship a release
    • Changelog v3.16.0
    • GitHub releases
Powered by GitBook
On this page
Edit on GitHub
  1. Language Reference
  2. Domain Modifiers

CAA_BUILDER

PreviousCAANextCNAME

Last updated 25 days ago

DNSControl contains a CAA_BUILDER which can be used to simply create records for your domains. Instead of creating each record individually, you can simply configure your report mail address, the authorized certificate authorities and the builder cares about the rest.

Example

Simple example

dnsconfig.js
D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
  CAA_BUILDER({
    label: "@",
    iodef: "mailto:test@example.com",
    iodef_critical: true,
    issue: [
      "letsencrypt.org",
      "comodoca.com",
    ],
    issuewild: "none",
  }),
);

CAA_BUILDER() builds multiple records:

dnsconfig.js
D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
  CAA("@", "iodef", "mailto:test@example.com", CAA_CRITICAL),
  CAA("@", "issue", "letsencrypt.org"),
  CAA("@", "issue", "comodoca.com"),
  CAA("@", "issuewild", ";"),
);

which in turns yield the following records:

@ 300 IN CAA 128 iodef "mailto:test@example.com"
@ 300 IN CAA 0 issue "letsencrypt.org"
@ 300 IN CAA 0 issue "comodoca.com"
@ 300 IN CAA 0 issuewild ";"

Example with CAA_CRITICAL flag on all records

The same example can be enriched with CAA_CRITICAL on all records:

dnsconfig.js
D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
  CAA_BUILDER({
    label: "@",
    iodef: "mailto:test@example.com",
    iodef_critical: true,
    issue: [
      "letsencrypt.org",
      "comodoca.com",
    ],
    issue_critical: true,
    issuewild: "none",
    issuewild_critical: true,
  }),
);

CAA_BUILDER() then builds (the same) multiple records - all with CAA_CRITICAL flag set:

dnsconfig.js
D("example.com", REG_MY_PROVIDER, DnsProvider(DSP_MY_PROVIDER),
  CAA("@", "iodef", "mailto:test@example.com", CAA_CRITICAL),
  CAA("@", "issue", "letsencrypt.org", CAA_CRITICAL),
  CAA("@", "issue", "comodoca.com", CAA_CRITICAL),
  CAA("@", "issuewild", ";", CAA_CRITICAL),
);

which in turns yield the following records:

@ 300 IN CAA 128 iodef "mailto:test@example.com"
@ 300 IN CAA 128 issue "letsencrypt.org"
@ 300 IN CAA 128 issue "comodoca.com"
@ 300 IN CAA 128 issuewild ";"

Parameters

  • label: The label of the CAA record. (Optional. Default: "@")

  • iodef: Report all violation to configured mail address.

  • iodef_critical: This can be true or false. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: false)

  • issue: An array of CAs which are allowed to issue certificates. (Use "none" to refuse all CAs)

  • issue_critical: This can be true or false. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: false)

  • issuewild: An array of CAs which are allowed to issue wildcard certificates. (Can be simply "none" to refuse issuing wildcard certificates for all CAs)

  • issuewild_critical: This can be true or false. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: false)

  • ttl: Input for TTL method (optional)

CAA()
CAA()