Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FEATURE: CAA_BUILDER: add issue_critical and issuewild_critical #2728

Merged
merged 2 commits into from
Dec 18, 2023
Merged

FEATURE: CAA_BUILDER: add issue_critical and issuewild_critical #2728

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
de8f1e6
FEATURE: CAA_BUILDER: add `issue_critical` and `issuewild_critical`
llange Dec 17, 2023
aef917a
Merge branch 'master' into caa_builder_flags
tlimoncelli Dec 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 3 additions & 1 deletion commands/types/dnscontrol.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -398,7 +398,9 @@ declare function CAA(name: string, tag: "issue" | "issuewild" | "iodef", value:
* * `iodef:` Report all violation to configured mail address.
* * `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
* * `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
* * `issue_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
* * `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
* * `issuewild_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
*
* `CAA_BUILDER()` returns multiple records (when configured as example above):
*
Expand All @@ -411,7 +413,7 @@ declare function CAA(name: string, tag: "issue" | "issuewild" | "iodef", value:
*
* @see https://docs.dnscontrol.org/language-reference/domain-modifiers/caa_builder
*/
declare function CAA_BUILDER(opts: { label?: string; iodef: string; iodef_critical?: boolean; issue: string[]; issuewild: string[] }): DomainModifier;
declare function CAA_BUILDER(opts: { label?: string; iodef: string; iodef_critical?: boolean; issue: string[]; issue_critical?: boolean; issuewild: string[]; issuewild_critical?: boolean }): DomainModifier;

/**
* `CF_REDIRECT` uses Cloudflare-specific features ("Forwarding URL" Page Rules) to
Expand Down
77 changes: 67 additions & 10 deletions documentation/functions/domain/CAA_BUILDER.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,18 @@ parameters:
- iodef
- iodef_critical
- issue
- issue_critical
- issuewild
- issuewild_critical
parameters_object: true
parameter_types:
label: string?
iodef: string
iodef_critical: boolean?
issue: string[]
issue_critical: boolean?
issuewild: string[]
issuewild_critical: boolean?
---

DNSControl contains a `CAA_BUILDER` which can be used to simply create
Expand All @@ -22,7 +26,7 @@ authorized certificate authorities and the builder cares about the rest.

## Example

For example you can use:
### Simple example

{% code title="dnsconfig.js" %}
```javascript
Expand All @@ -39,15 +43,7 @@ CAA_BUILDER({
```
{% endcode %}

The parameters are:

* `label:` The label of the CAA record. (Optional. Default: `"@"`)
* `iodef:` Report all violation to configured mail address.
* `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)

`CAA_BUILDER()` returns multiple records (when configured as example above):
`CAA_BUILDER()` builds multiple records:

{% code title="dnsconfig.js" %}
```javascript
Expand All @@ -57,3 +53,64 @@ CAA("@", "issue", "comodoca.com")
CAA("@", "issuewild", ";")
```
{% endcode %}

which in turns yield the following records:

```text
@ 300 IN CAA 128 iodef "mailto:test@example.com"
@ 300 IN CAA 0 issue "letsencrypt.org"
@ 300 IN CAA 0 issue "comodoca.com"
@ 300 IN CAA 0 issuewild ";"
```

### Example with CAA_CRITICAL flag on all records

The same example can be enriched with CAA_CRITICAL on all records:

{% code title="dnsconfig.js" %}
```javascript
CAA_BUILDER({
label: "@",
iodef: "mailto:test@example.com",
iodef_critical: true,
issue: [
"letsencrypt.org",
"comodoca.com",
],
issue_critical: true,
issuewild: "none",
issuewild_critical: true,
})
```
{% endcode %}

`CAA_BUILDER()` then builds (the same) multiple records - all with CAA_CRITICAL flag set:

{% code title="dnsconfig.js" %}
```javascript
CAA("@", "iodef", "mailto:test@example.com", CAA_CRITICAL)
CAA("@", "issue", "letsencrypt.org", CAA_CRITICAL)
CAA("@", "issue", "comodoca.com", CAA_CRITICAL)
CAA("@", "issuewild", ";", CAA_CRITICAL)
```
{% endcode %}

which in turns yield the following records:

```text
@ 300 IN CAA 128 iodef "mailto:test@example.com"
@ 300 IN CAA 128 issue "letsencrypt.org"
@ 300 IN CAA 128 issue "comodoca.com"
@ 300 IN CAA 128 issuewild ";"
```


### Parameters

* `label:` The label of the CAA record. (Optional. Default: `"@"`)
* `iodef:` Report all violation to configured mail address.
* `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
* `issue_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
* `issuewild_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
18 changes: 14 additions & 4 deletions pkg/js/helpers.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1478,13 +1478,23 @@ function CAA_BUILDER(value) {
}
}

if (value.issue)
if (value.issue) {
var flag = function() {};
if (value.issue_critical) {
flag = CAA_CRITICAL;
}
for (var i = 0, len = value.issue.length; i < len; i++)
r.push(CAA(value.label, 'issue', value.issue[i]));
r.push(CAA(value.label, 'issue', value.issue[i], flag));
}

if (value.issuewild)
if (value.issuewild) {
var flag = function() {};
if (value.issuewild_critical) {
flag = CAA_CRITICAL;
}
for (var i = 0, len = value.issuewild.length; i < len; i++)
r.push(CAA(value.label, 'issuewild', value.issuewild[i]));
r.push(CAA(value.label, 'issuewild', value.issuewild[i], flag));
}

return r;
}
Expand Down