BIND in Debian 8 doesn't know of CAA records
I have to publish CAA records for our domain and our public NS are running on BIND9 under Debian 8. Unfortunately, the current BIND seems to be version 9.9.5 whereas CAA is only supported in 9.9.6 and higher.
What is my best bet short of upgrading my servers... ?
What is my best bet short of upgrading my servers... ?
ASKER
thanks - I guess no "easy" fix then.
I will containerize (is that a term ?) my DNS servers ... no going to happen overnight but I guess my best bet !
I will containerize (is that a term ?) my DNS servers ... no going to happen overnight but I guess my best bet !
See if there's a BIND update for that version. Go to command level and issue:
This will update the available packages list and show which ones can be upgraded, and to what version. Ideally there is a BIND upgrade that will solve the problem.
Or, as David says, if you are stuck on Debian 8 for the time being then you can download the BIND package and build it yourself. BIND is not a simple piece of software, though. The dependencies will be many, some libraries will be missing and will have to be downloaded, and I expect it will take some determination to follow through to the end.
apt-get update
apt list --upgradableThis will update the available packages list and show which ones can be upgraded, and to what version. Ideally there is a BIND upgrade that will solve the problem.
root:> apt-get update
Get:1 http://security.debian.org/debian-security stretch/updates InRelease [94.3 kB]
Ign:2 http://ftp.us.debian.org/debian stretch InRelease
Get:3 http://ftp.us.debian.org/debian stretch-updates InRelease [91.0 kB]
Get:4 http://ftp.us.debian.org/debian stretch Release [118 kB]
(list goes on ...)
Get:17 http://ftp.us.debian.org/debian stretch/non-free Translation-en [80.3 kB]
Get:18 http://ftp.us.debian.org/debian stretch/non-free i386 Contents (deb) [750 kB]
Fetched 52.6 MB in 48s (1,074 kB/s)
Reading package lists... Done
root:> apt list --upgradable
Listing... Done
base-files/oldstable 9.9+deb9u11 i386 [upgradable from: 9.9+deb9u9]
gettext-base/oldstable 0.19.8.1-2+deb9u1 i386 [upgradable from: 0.19.8.1-2]
grub-common/oldstable 2.02~beta3-5+deb9u2 i386 [upgradable from: 2.02~beta3-5+deb9u1]
(list goes on ...)
unzip/oldstable 6.0-21+deb9u2 i386 [upgradable from: 6.0-21+deb9u1]
usbutils/oldstable 1:007-4+deb9u1 i386 [upgradable from: 1:007-4+b1]
root:>Or, as David says, if you are stuck on Debian 8 for the time being then you can download the BIND package and build it yourself. BIND is not a simple piece of software, though. The dependencies will be many, some libraries will be missing and will have to be downloaded, and I expect it will take some determination to follow through to the end.
4) You can always try adding this to your /etc/apt/sources.list or however your APT setup is configured...
This can seriously wreck a system + this might deliver the minor BIND update which supports CAA records.
deb http://ftp.us.debian.org/debian jessie-proposed-updates main contrib non-freeThis can seriously wreck a system + this might deliver the minor BIND update which supports CAA records.
ASKER
thanks for your various comments.
I have found somewhere (but for the life of me I can't locate it again) a procedure that would allow entering "non-standard" (as 9.9.5 doesn't know about them yet - it would be record type 257 (decimal)) records in a BIND zone file.
Anyone ? guess would be a short time solution to my issue
I have found somewhere (but for the life of me I can't locate it again) a procedure that would allow entering "non-standard" (as 9.9.5 doesn't know about them yet - it would be record type 257 (decimal)) records in a BIND zone file.
Anyone ? guess would be a short time solution to my issue
basically that is what is done sending numeric codes. Now depending on code there is a subsequent structure, you will need to ad that in binary as well...
Here is a description all for the same record:
https://support.globalsign.com/customer/en/portal/articles/2851274-how-to-add-dns-caa-record-to-a-dns-zone-file
example.com. IN TYPE257 \#
21 00056973737565676C6F62616C
This means: record type 257. With 21 bytes of parameters.
First 0 (00), then size 5, issue) 05 6973737565
Then remaining bytes: (globalsign.com ) 5676C6F62616C7369676E2E636
Other records may have differenc encoding...
Here is a description all for the same record:
https://support.globalsign.com/customer/en/portal/articles/2851274-how-to-add-dns-caa-record-to-a-dns-zone-file
example.com. IN TYPE257 \#
21 00056973737565676C6F62616C
This means: record type 257. With 21 bytes of parameters.
First 0 (00), then size 5, issue) 05 6973737565
Then remaining bytes: (globalsign.com ) 5676C6F62616C7369676E2E636
Other records may have differenc encoding...
ASKER
aha we are getting somewhere !
Is there a tool to compute those code ?
Is there a tool to compute those code ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
sslmate is also useful as certspotter to see when certificates change.
My dig is returning the actual strings though.. So you need an old dig as well.
Better use the website.
My dig is returning the actual strings though.. So you need an old dig as well.
Better use the website.
ASKER
Thanks everyone for your input - it turns out https://sslmate.com/caa/ is exactly what I needed. We have (working) CAA records with BIND 9.9.5
1) You can always build latest named from source.
2) You can update to Stretch or Buster.
3) You can also run LXD, then run a Debian or Ubuntu inside your DNS containers. This way you can always the contents of your containers without effecting any of your machine level code.
Note: I run Ubuntu Bionic (LTS) at machine level with only installed additional code as the SNAP version of LXD.
Then I just run containers with various Distro versions based on whatever any project requires.
This way you decouple your requirement to do a machine level upgrade to only once every 2x-5x years.
Then you can clone a container + run an upgrade to test how upgrades work on a per Distro version basis.