Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, January 19, 2017 10:39 PM
Just curious but does anyone know if any version of DNS server on the Windows Server platform support Certification Authority Authorization (CAA) records per RFC 6844?
Thanks, Chris
All replies (9)
Friday, January 20, 2017 7:37 AM
Hi Chris,
As far as I know, windows DNS server did not provide CAA records created.
You could check link below to understand it:
Resource Record Types
https://technet.microsoft.com/en-us/library/cc958958.aspx
And windows server 2016 DNS provide unknown record support for your reference:
What's New in DNS Server in Windows Server 2016
https://technet.microsoft.com/en-us/windows-server-docs/networking/dns/what-s-new-in-dns-server
Best Regards
John
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, February 7, 2017 2:45 AM
Hi Chris,
Just want to confirm current situation.
If there is anything we can do for you, please feel free to post in the forum.
Best Regards
John
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, June 5, 2017 5:21 PM | 5 votes
This is an unacceptable answer. Microsoft should not require an entire operating system upgrade to support something they should have all along. And with the sheer number of issues with Windows 10/2016, it will be unusable for at least another year.
Oh, and thanks for giving us a link to what a DNS resource record type is. I'm pretty sure we didn't know what that was already.
Monday, July 24, 2017 1:52 PM | 1 vote
This is not acceptable since CAA records are mandatory by all browsers and SSL authorities for SSL issuing by September 1st. How come Microsoft is falling behind on this important change to SSL certificates?
Wednesday, August 30, 2017 7:43 PM
CAA is mandatory for Public CA's (Certificate Authority) who are embedded in the Root programs of the world to check when issuing a certificate on behalf of an organization, if you do not list any CA within your DNS then all CA's can issue for your organization without issue.
It is almost like a network policy for roots, you can either trust all roots in the root program or select X number of roots and all other public roots would be untrusted by your network.
Bottom line, if you want to limit the CA that can issue for your organization then add CAA to all your DNS entries, if not then you do not need to worry about adding CAA.
Monday, October 16, 2017 9:09 AM
As workaround solution.
Try to use https://sslmate.com/caa/ to generate CAA record using unknown record.
Add domain and CA simple (issue) or wildcard (issuewild).
Find result in "Legacy Zone File", example of non wildcard certificate for mydomain.com, comodoca.com
Legacy Zone File (RFC 3597 Syntax)
For BIND <9.9.6, NSD <4.0.1, Windows Server 2016
mydomain.com. IN TYPE257 \# 19 00056973737565636F6D6F646F63612E636F6D
mydomain.com. IN TYPE257 \# 12 0009697373756577696C643B
Thursday, November 9, 2017 12:12 PM
I agree..
Seperate components should be upgradeable within the OS.
Friday, November 10, 2017 6:07 PM
Before bashing any Microsoft OS, maybe you can Elaborate on the many issues you wrote about?
I agree that it is cumbersome to install a new OS Version to get the new capabilities in DNS.
But I don't understand what you are talking about in term of issues in Windows Server 2016!
If you only need a DNS Server you could install Server Core only with the DNS Role installed.
After that you could remove the payload of all unneeded roles/Features. Giving you a System wiith a very low attack Surface.
The rest is done with Windows Firewall.
I operate a public Windows Server DNS Server in this configuration for several years with no issues so far!
Christian Schindler
Wednesday, July 11, 2018 2:23 AM
supported version as of date.
| Syntax Type | DNS Product |
| Standard BIND | BIND 9.9.6 and higher PowerDNS 4.0.0 and higher NSD 4.0.1 and higher Knot DNS 2.2.0 and higher Simple DNS Plus 6 Windows Server 2016 |
| Legacy BIND | Any version prior to BIND 9.9.6 |
| Generic | Google Cloud DNS |
source is from Entrust. and specifically guideline for Windows 2016 as below.