Experiences with CAA implementation

Not an answer (sorry) but looking in to CAA myself and failing to find any information on it, however we are still running 11.6 on our devices.

Does 12 support the CAA record or allow the previous BIND type 257 records?

I was wondering if nothing else trying to manually edit the zone file and hope zonerunner doesnt go in to a restart loop

I am interested to know as well, as we need this feature now.

Any updates on this? Need to know as well if F5 GTM supports CAA DNS records and which versions.

Thanks.

The CABForum announced CAA woudl be required required in March

https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/

https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

The requirement is now in place effective September 8, 2017.

SSLMate has a tool for generating CAA records:

https://sslmate.com/caa/

There should be some public guidance by now?

In case this wasn't already answered, BIG-IP 12.x, 13.x, and 14.x have a high enough version of BIND that you can manually edit the zone files (carefully) to add the CAA record. See https://support.f5.com/csp/article/K7032.

I understand that using Zone Runner to manage CAA record types are on the roadmap for 14.x.

We implemented a CAA record on our F5 DNS the manual way and it worked for us.

Does anyone know the status of this?

/jba

I think this feature came along in BIG-IP 14.X. I know the ability to work with CAA in Zone Runner is there in 15.x

Beware this bug: Can not modify CAA record on GUI with Error: Resolver returned no such record. (f5.com)

Bug ID 862949 (f5.com)

Probably came along with BIND 9.9.6+ support somewhere in there. I can't find the exact release notes at the moment.