TransWikia.com

Cannot create a CAA record in Azure DNS

Server Fault Asked by Larry Silverman on November 24, 2021

CAA records were introduced to Azure DNS in November 2017.

Today, I attempted to add one to a new DNS zone I created in US East 2.

I used the cloud Powershell so I wouldn’t have to wrestle with AzureRM module version problems.

$records = @()
$records += New-AzureRmDnsRecordConfig -Caaflags 0 -CaaTag "issue" -CaaValue "issuernumberone.com"
$records += New-AzureRmDnsRecordConfig -Caaflags 0 -CaaTag "issue" -CaaValue "issuernumbertwo.org"
$records += New-AzureRmDnsRecordConfig -Caaflags 0 -CaaTag "iodef" -CaaValue "mailto:[email protected]"
New-AzureRmDnsRecordSet -Name "caa" -RecordType CAA -ZoneName mydomain.com -ResourceGroupName DNS-rg -Ttl 3600 -DnsRecords $records

Get-AzureRmDnsRecordSet -RecordType CAA -ZoneName mydomain.com -ResourceGroupName DNS-rg

The commands all worked flawlessly. I was able to create and save the recordset. I was able to retrieve the recordset.

But dig tells another story.

$ dig mydomain.com @ns1-03.azure-dns.com. CAA

; <<>> DiG 9.10.3-P4 <<>> mydomain.com @ns1-03.azure-dns.com. CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51663
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;mydomain.com.                        IN      CAA

;; AUTHORITY SECTION:
mydomain.com.         300     IN      SOA     ns1-03.azure-dns.com. azuredns-hostmaster.microsoft.com. 1 3600 300 2419200 300

;; Query time: 39 msec
;; SERVER: 40.90.4.3#53(40.90.4.3)
;; WHEN: Fri Apr 06 16:29:56 Central Daylight Time 2018
;; MSG SIZE  rcvd: 126

I have other DNS providers with working CAA records. These results are not correct. I also tried with “type257” instead of CAA.

Furthermore, the CAA record type does not appear in the Azure DNS portal blade.

2 Answers

CAA Record Support is available as of today for Custom Domains on Azure. These can be accessed via DNS Zone of that particular domain you want to add CAA record set to. I've not personally tried adding a valid CAA record but I can see it now. enter image description here

If you want to verify the CAA record that you have added to a domain via DNS Zone, you can refer this step 4 of this blogpost that talks about Verifying CAA Record for DNS Zone

Answered by navule on November 24, 2021

My intention was to put a CAA record on the root domain. I misunderstood the purpose of the -name parameter. I assumed it was just a label. I incorrectly set the -name parameter to caa. The correct usage would have been -name "@".

Answered by Larry Silverman on November 24, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP