[Solved] DNS CAA records ????

13 posts / 0 new
Last post
#1 Wed, 05/10/2017 - 07:21

[Solved] DNS CAA records ????


I'm still tweaking the SSL setup of wy new Virtualmin server to be at best possible but I found that: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum

Is someone aware of that ? Virtualmin doesn't handle CAA records in DNS, I guess I can still add it manually but is it legitimate ? Didn't find much infos about that on the net !



Wed, 05/10/2017 - 09:52

oki found the answer by myself and so edited Bind template in my virtualmin to include by default in all new zones these two records:

${DOM}. IN CAA 0 issue "letsencrypt.org"
${DOM}. IN CAA 0 issuewild ";"
Wed, 05/10/2017 - 10:26
cinterpro's picture

Hi vincen. This is news to me. Currently i have a box with 2 domains on it and https, works fine. But, no i didn´t know this. Where did you edit this?
Webmin -> Bind DNS Server -> and than?

Edit Config File? and than add this line beneath these lines?
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

Hoping to hear from you again.

Thu, 05/11/2017 - 01:24

No no, you have to add it in Bind template for zone ! Virtualmin -> System Settings -> Server Templates -> Default Settings -> BIND DNS Domain In the first field "BIND DNS records for new domains you add the two lines I indicated and you save !

You have also to remove all ciphers that are 128bits or less in your Apache config and then you should get A grade on that test like me: SSL A Grade

Thu, 05/11/2017 - 01:56

And with the last tweaks became A+, woouhouu ;) SSL A Grade

Thu, 05/11/2017 - 03:22
cinterpro's picture

Dear vincen. many thanks for the tip. Now i also have a A- certificate. which is quite great. But I am also intrested in obtaining a A+ certificate :-) do to my domain -> Services -> Configure Website for SSL and where it says SSL protocols I see that TLSv1. is marked. But when I do what you say the apache doesn´t start You have also to remove all ciphers that are 128bits or less in your Apache config and then you should get A grade on that test like me: log in to webmin - webmin panel - Apache Webserver - click on the virtual server you want to change - in the new screen click on 'edit directives' - put your changes in there and restart Apache

I have this: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
When i leave it in : SSLProtocol TLSv1
as said, the apache doesn´t restart. when restoring the line everything works again.
Can you please let me know what I might be doing wrong?
Many thanks in advance..

Thu, 05/11/2017 - 03:59

You should check the error when you try to restart Apache and it doesn't want ! You are probably missing some modules not activated in Apache or not installed ;) because normally only TLS 1.2 should be active, everything else off !! I added also these directives to make it more secure in ssl.conf of Apache (be careful to activate the headers module in Apache first or you won't be able to restart Apache after modifications !

SSLHonorCipherOrder on
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
    SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
Thu, 05/11/2017 - 05:38
cinterpro's picture

Hi there. Just send you an email for a bit more help. IF you are free/avaiable. Hoping to hear from you. Regards, Paco

Thu, 05/11/2017 - 06:36 (Reply to #8)

Made a tutorial explaining whole process, hope it can help ;) https://www.virtualmin.com/node/52164

Thu, 05/11/2017 - 21:46
Diabolico's picture

You should really enable TLSv1 and 1.1 otherwise you will cut out good amount of devices, especially mobile one.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Fri, 05/12/2017 - 01:36 (Reply to #10)

TLS 1 and 1.1 are now considered as weak so they should not be activated ! It's not because lot of outdated and insecure devices are in the field that you should continue to use outdated and weak protocol no ? :)

Fri, 05/12/2017 - 12:13
Diabolico's picture

I'm using it on all websites of my clients and still get A+ score, so definitely they are not obsolete. Some things i like to push to the never versions (e.g. PHP) but some is better to hold the middle ground. I dont really want to cut XX% of mobile/tablet users especially when it comes to more serious/demanding clients.

Plus depends on your configuration if TLSv1.0 and 1.1 will be secure or not, what chipper and so on. For example if nothing changed IE 7-10 dont support 1.1 by default and only IE 11 have this enabled. Who knows how many mobile phones and tablets have same situation. This are pretty big numbers to be so easy cut off from your website (especially from your clients). Balance is the key word here.

Only reason to disable TLSv1.0 would be PCI compliance, still you can use other two without any problem.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Wed, 12/11/2019 - 09:59

I'm considering nominating this for the "Best post on this forum" award! Thanks so much.

I used:

mysite.com. IN CAA 0 issue "letsencrypt.org"

mysite.com. IN CAA 0 issuewild ";"

Rather than:

mysite. IN CAA 0 issue "letsencrypt.org"

mysite. IN CAA 0 issuewild ";"

Note the added .com. I did this to match the other entries in my BIND DNS record.

Can you please let me know if this is appropriate and safe behaviour?

Topic locked