0

From 8th september 2017 its mandatory to have CAA record for SSL certificate from CA/Browsers forum on DNS Server.

On my Linux's server I upgrade Bind to 9.8 and its now support CAA record and as I know its work from Bind 9.6 My Question is about Microsoft DNS server. i have a win 2003 and DNS server v 5.2.3 and tried to add this record manually to C:\WINDOWS\system32\dns\domainzone.dns with no sucess as I know microsoft is a part os CA/B forum but I did not found any news from microsoft to point about DNS server version for this Record. Should I move to win 2012/2016 or could I just upgrade DNS server?

Amir
  • 96
  • 5

1 Answers1

0

From 8th september 2017 its mandatory to have CAA record for SSL certificate from CA/Browsers forum on DNS Server.

You are not required to have a CAA record as domain owner. It is only a requirement for the CA's to check if there is a CAA record for the domain and if they are allowed to issue a certificate based on this record.

This means, if there is no CAA record for the domain every public CA is allowed to issue a certificate for it. And this does not mean that you cannot get a certificate if you don't have a CAA record.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • For any new SSL request its mandatory to create this record.anyway my qeustion is about Microsoft DNS serves that support this record or no? – Amir Sep 10 '17 at 12:47
  • @Amir: to ask for specifics on Microsoft DNS server serverfault.com is the more appropriate forum. And the document you reference clearly says that CA must check while domain owners can provide such a record. There is no must provide this record for domain owners but only must check for CA. – Steffen Ullrich Sep 10 '17 at 14:53