Hello, Soon (September 7, 2017) we will be required to issue a CAA records. https://sslmate.com/caa/ bind supports it, is there a way to do that from our ISPConfig3 panel? Thanks,
CAA records are available in ISPConfig master branch in GIT (the branch that will become ISPConfig 3.2). And as @HSorgYves pointed out, you may start to use CAA now but it is not required. At last when I understand the page that yu posted correctly.
Just saw a Heise article in which they say that CA must respect CAA if available in the zone starting from today. It also links to the according ballot: https://cabforum.org/2017/03/08/ballot-187-make-caa-checking-mandatory/ "Effective as of 8 September 2017, section 4.2 of a CA’s Certificate Policy and/or Certification Practice Statement (section 4.1 for CAs still conforming to RFC 2527) SHALL state the CA’s policy or practice on processing CAA Records for Fully Qualified Domain Names; that policy shall be consistent with these Requirements. It shall clearly specify the set of Issuer Domain Names that the CA recognises in CAA “issue” or “issuewild” records as permitting it to issue. The CA SHALL log all actions taken, if any, consistent with its processing practice. Add the following text to the appropriate place in section 1.6.3 (“References”):" For you as domain owner nothing changes. You can add a CAA record to your zone file. However if you (or someone else) tries to request a SSL cert for your domain, then the CA must check if a CAA record is in the DNS file and if so, if that CA is allowed to issue a cert for that domain.
