CAA record for empty issuewild

Discussion in 'Installation/Configuration' started by Thijs Koetsier, Oct 20, 2020.

  1. Thijs Koetsier

    Thijs Koetsier New Member HowtoForge Supporter

    The option to add CAA records to the DNS settings in ISPconfig in version 3.2 is much appreciated, thank you.
    I find myself having problems however trying to configure the following situation:

    I need to configure a domain to validate Sectigo to issue a certificate for the domain, but explicitly have no CA authorised to issue wildcard certificates. To that end I need two CAA records in my BIND zonefile:
    Code:
    example.com.    IN    CAA    0 issue "sectigo.com"
    example.com.    IN    CAA    0 issuewild ";"
    (reference: https:// sslmate.com/caa/)

    In the DNS CAA Record editor of ISPconfig I can select Sectigo/Comodo CA, with or without "NO-WILDCARD" and if I select it without then I have the option to select "Use Wildcard SSL". Whatever option I try though, it never leads to the above result.

    Is there a way to do this?
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I don't think it's necessary to set that second record that explicitly tells no one is allow to create a wildcard record for your domain. All SSL cert issuers should follow your CAA record and if one is present, they will not generate a cert if it's not allowed.
     
    Thijs Koetsier likes this.
  3. Thijs Koetsier

    Thijs Koetsier New Member HowtoForge Supporter

    Thanks for your reply Th0m.
    That was my thought as well, why state there's no wildcard CA while there is one explicitly named only for the single domain? It seems rather redundant.

    Reading that site I referenced and a request from a client had me question if it might better to do so, but I agree the single declaration should lead to the same result.
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It would be redundant indeed :)
     
    Thijs Koetsier likes this.

Share This Page