Do any versions of DNS Server support Certification Authority Authorization records? RRS feed

  • Question

  • Just curious but does anyone know if any version of DNS server on the Windows Server platform support Certification Authority Authorization (CAA) records per RFC 6844?

    Thanks, Chris

    Thursday, January 19, 2017 10:39 PM

All replies

  • Hi Chris,

    As far as I know, windows DNS server did not provide CAA records created.

    You could check link below to understand it:

    Resource Record Types


    And windows server 2016 DNS provide unknown record support for your reference:

    What's New in DNS Server in Windows Server 2016


    Best Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by John Lii Tuesday, February 7, 2017 2:45 AM
    Friday, January 20, 2017 7:37 AM
  • Hi Chris,

    Just want to confirm current situation.

    If there is anything we can do for you, please feel free to post in the forum.

    Best Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 7, 2017 2:45 AM
  • This is an unacceptable answer.  Microsoft should not require an entire operating system upgrade to support something they should have all along.  And with the sheer number of issues with Windows 10/2016, it will be unusable for at least another year.

    Oh, and thanks for giving us a link to what a DNS resource record type is.  I'm pretty sure we didn't know what that was already.
    • Edited by Brain2000 Monday, June 5, 2017 5:22 PM
    Monday, June 5, 2017 5:21 PM
  • This is not acceptable since CAA records are mandatory by all browsers and SSL authorities for SSL issuing by September 1st. How come Microsoft is falling behind on this important change to SSL certificates?

    Monday, July 24, 2017 1:52 PM
  • CAA is mandatory for Public CA's (Certificate Authority) who are embedded in the Root programs of the world to check when issuing a certificate on behalf of an organization, if you do not list any CA within your DNS then all CA's can issue for your organization without issue.

    It is almost like a network policy for roots, you can either trust all roots in the root program or select X number of roots and all other public roots would be untrusted by your network.

    Bottom line, if you want to limit the CA that can issue for your organization then add CAA to all your DNS entries, if not then you do not need to worry about adding CAA.

    Wednesday, August 30, 2017 7:43 PM
  • As workaround solution.

    Try to use https://sslmate.com/caa/ to generate CAA record using unknown record.

    Add domain and CA simple (issue) or wildcard (issuewild).
    Find result in "Legacy Zone File", example of non wildcard certificate for 
    mydomain.com, comodoca.com

     Legacy Zone File (RFC 3597 Syntax)

    For BIND <9.9.6, NSD <4.0.1, Windows Server 2016

    mydomain.com.	IN	TYPE257	\# 19 00056973737565636F6D6F646F63612E636F6D
    mydomain.com.	IN	TYPE257	\# 12 0009697373756577696C643B

    • Edited by olaruv Monday, October 16, 2017 9:12 AM
    Monday, October 16, 2017 9:09 AM
  • I agree.. 
    Seperate components should be upgradeable within the OS.
    Thursday, November 9, 2017 12:12 PM
  • Before bashing any Microsoft OS, maybe you can Elaborate on the many issues you wrote about?

    I agree that it is cumbersome to install a new OS Version to get the new capabilities in DNS.

    But I don't understand what you are talking about in term of issues in Windows Server 2016!

    If you only need a DNS Server you could install Server Core only with the DNS Role installed.

    After that you could remove the payload of all unneeded roles/Features. Giving you a System wiith a very low attack Surface.

    The rest is done with Windows Firewall.

    I operate a public Windows Server DNS Server in this configuration for several years with no issues so far!

    Christian Schindler

    Friday, November 10, 2017 6:07 PM
  • supported version as of date.

    Syntax Type DNS Product
    Standard BIND BIND 9.9.6 and higher
    PowerDNS 4.0.0 and higher
    NSD 4.0.1 and higher
    Knot DNS 2.2.0 and higher
    Simple DNS Plus 6
    Windows Server 2016
    Legacy BIND

    Any version prior to BIND 9.9.6
    Any version prior to NSD 4.0.1

    Generic  Google Cloud DNS

    source is from Entrust. and specifically guideline for Windows 2016 as below.


    Wednesday, July 11, 2018 2:23 AM