Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Experiences with CAA implementation

kouriada_284551
Nimbostratus
Nimbostratus

‎19-Apr-2017 05:27

Hello everyone, I would like to ask about experiences with implementation of CAA (Certification Authority Authorization) on DNS (GTM) on F5 v12 and higher? I have been trying to find some tech_doc about it, but nothing about this topic relation to f5.

 

I appreciate each useful experiences or sources.

 

Thank you AK

 

Labels:
0 Kudos
7 REPLIES 7

MW1
Cirrus
Cirrus

‎26-Apr-2017 12:33

Not an answer (sorry) but looking in to CAA myself and failing to find any information on it, however we are still running 11.6 on our devices.

 

Does 12 support the CAA record or allow the previous BIND type 257 records?

 

I was wondering if nothing else trying to manually edit the zone file and hope zonerunner doesnt go in to a restart loop

 

0 Kudos

JG
Cumulonimbus
Cumulonimbus

‎20-Aug-2017 23:49

I am interested to know as well, as we need this feature now.

 

0 Kudos

Lyndon_J
Nimbostratus
Nimbostratus

‎20-Sep-2017 15:31

Any updates on this? Need to know as well if F5 GTM supports CAA DNS records and which versions.

 

Thanks.

 

0 Kudos

bkhowson
Nimbostratus
Nimbostratus

‎13-Oct-2017 11:52

The CABForum announced CAA woudl be required required in March

 

https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/

 

https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

 

The requirement is now in place effective September 8, 2017.

 

SSLMate has a tool for generating CAA records:

 

https://sslmate.com/caa/

 

There should be some public guidance by now?

 

0 Kudos

basapp
Nimbostratus
Nimbostratus

‎23-Aug-2018 09:53

In case this wasn't already answered, BIG-IP 12.x, 13.x, and 14.x have a high enough version of BIND that you can manually edit the zone files (carefully) to add the CAA record. See https://support.f5.com/csp/article/K7032.

 

I understand that using Zone Runner to manage CAA record types are on the roadmap for 14.x.

 

We implemented a CAA record on our F5 DNS the manual way and it worked for us.

 

0 Kudos

jba3126
Cirrus
Cirrus

‎01-Jul-2021 10:17

Does anyone know the status of this?

 

/jba

0 Kudos

basapp
Nimbostratus
Nimbostratus

‎01-Jul-2021 11:48

I think this feature came along in BIG-IP 14.X. I know the ability to work with CAA in Zone Runner is there in 15.x

Beware this bug: Can not modify CAA record on GUI with Error: Resolver returned no such record. (f5.com)

Bug ID 862949 (f5.com)

Probably came along with BIND 9.9.6+ support somewhere in there. I can't find the exact release notes at the moment.

0 Kudos
Copyright © 2023 Khoros, LLC