Bind error when doing CAA for Amazon

Discussion in 'ISPConfig 3 Priority Support' started by pvanthony, Mar 22, 2021.

  1. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Getting an error when adding a CAA record for hostname with Amazon.
    Here is an example.
    domain is example.com
    host1.example.com. 3600 CAA 0 issue "letsencrypt.org"
    host2.example.com. 3600 CAA 0 issue "letsencrypt.org"
    host3.example.com. 3600 CAA 0 issue "letsencrypt.org"
    host4.example.com. 3600 CAA 0 issue "letsencrypt.org"
    host5.example.com. 3600 CAA 0 issue "amazon.com" <-- this causes the problem
    host6.example.com. 3600 CAA 0 issue "letsencrypt.org"
    host7.example.com. 3600 CAA 0 issue "letsencrypt.org"
    host8.example.com. 3600 CAA 0 issue "letsencrypt.org"
    host9.example.com. 3600 CAA 0 issue "letsencrypt.org"
    www.example.com 3600 CAA 0 issue "letsencrypt.org"

    Once the CAA record with amazon.com is removed there is no error.
    By the way, I think there is no email sent when there is an error with bind.
    It would be nice to have an alert email like when there is an error with the config of nginx.
    Hope for some advice on how to solve this error.
    This is on the folowing.
    debian 10.8
    bind9/stable,now 1:9.11.5.P4+dfsg-5.1+deb10u3
    ispconfig 3.2.3
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    What is the error you are seeing?
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The current behavior is intended as BIND will throw an error until all needed records of a zone are added, so when you add a zone (even with the wizard), you would get many error emails until all sub-records are added.
     
  4. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Need assistance on where to get the error from.
    Currently the way i know there is an error is when there is a file domain.err
     
  5. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Ok. I understand. So there will be too much noise.
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can find them under Monitor -> System-log.
     
  7. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Mar 23 02:36:02 named[5594]: reloading configuration succeeded
    Mar 23 02:36:02 named[5594]: reloading zones succeeded
    Mar 23 02:36:02 named[5594]: zone example.com/IN: zone serial (2021032310) unchanged. zone may fail to transfer to slaves.
    Mar 23 02:36:02 named[5594]: zone example.com/IN: loaded serial 2021032310
    Mar 23 02:36:02 named[5594]: zone example.com/IN: sending notifies (serial 2021032310)
    Mar 23 02:36:02 named[5594]: all zones loaded
    Mar 23 02:36:02 named[5594]: running
    Unfortunately I do not see any other errors. This only happens when adding a CAA for amazon.com.
    Another thing to note is that host is a cname. Does that make a difference?
     
  8. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Just did another test.
    1. created a hostname lala with an A record.
    2. then created a CAA record with amazon.com
    It worked.
    I think there might be a requirement for CAA record to be linked to hostnames with A record and not to a hostname with CNAME record.
    Is this correct?
     
  9. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Ie. 'host5.example.com.' in your initial post is created as a CNAME, not A/AAAA? If so, the ui should not allow you to create a CAA record for it (needs a bug report filed).
     
    Th0m likes this.
  10. pvanthony

    pvanthony Active Member HowtoForge Supporter

    That is correct. The hostname was a CNAME. So it is a requirment that the CAA record has to be a A record.
     
  11. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    It's more that when you add a CNAME record, you can't add additional records like CAA, TXT, etc. You just need to add the CAA to the target of the CNAME.

    Also note that CAA records carry to subdomains, so if your example.com has a CAA for letsencrypt, you don't need to add all those host records, only the ones that differ (eg. your host5 ).
     
  12. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Thank you for the advice. I did not know about these points. I will clean up my dns records.
    Once again thank you for helping.
     

Share This Page