Record Types And How To Use Them
This page describes the specific record types and how they are used at RWTH.
CAA Records
As of February 23, 2018 Domain Name System (DNS) Certification Authority Authorization (CAA) Resource Records (RRs) according to RFC 6844 will be introduced at RWTH Aachen University.
CAA Records provide domain owners with the ability to authorize defined certificate authorities (CAs) to issue X.509 certificates (also known as SSL certificates) to hosts under the domain. CAA records are intended to prevent certificates from being issued to unauthorized persons. A prerequisite for this is that the certification authority checks the CAA records. Since September 2017, certification authorities participating in the CA/Browser Forum are required to check CAA records when issuing the certificates.
What are the practical implications for a server administrator?
- Set and check CAA records for the hostname (FQDN) of their server in the DNS.
- Generate a certification signing request (CSR) and send it to a CA autherized in the CAA record.
- Step 1 is especially important if a certificate is requested outside the DFN-PKI.
The following rules apply to CAA records within the domains delegated to the RWTH name servers:
- The DFN-PKI is allowed for all zones (domains) by default (i.e. the CAA records are already maintained by the RWTH hostmaster).
- DNS administrators can set additional CAA records per host via the "NOC-Portal" tool DNS-Admin.
- DNS administrators who do not have rights for the "DNS-Admin" tool can request the entry of CAA records for FQDNs in their zone(s) to the RWTH Hostmaster (hostmaster@rwth-aachen.de) or the RWTH CA (ca@rwth-aachen.de) or to the IT-ServiceDesk (servicedesk@itc.rwth-aachen.de) by email.
- The list of CAs available for selection is maintained by the RWTH CA. Currently, this list includes the CAs that have issued certificates (digicert.com, globalsign.com, letsencrypt.org, pki.dfn.de, telesec.de). These CAs have been identified via Cert Spotter.
- Already issued certificates are not affected, because CAA records are only taken into account when issuing a certificate.
- CAA records with the property "issuewild" are only allowed for hosts and can be added on request via the RWTH CA (ca@rwth-aachen.de).
- Because of the hierarchical structure, a specific host entry takes effect before the zone entry.
A query is made, for example, via
dig caa +noall +answer $DOMAIN.rwth-aachen.deor if a specific entry exists
dig caa +noall +answer $HOSTNAME.DOMAIN.rwth-aachen.deSSHFP Records
All users authorized to use the DNS-Admin can now store Secure Shell Fingerprints (SSHFP) in the DNS via individual entries or a mass import (see RFCs 4255, 6594 and 7479). The structure of this record type (for detailed parameters see iana.org) is:
<$SERVER.$DOMAIN.rwth-aachen.de.> [<TTL in seconds>] [<Class>] SSHFP <number of the algorithm> <number of the hash type> <hexadecimal fingerprint>- Generate SSHFP
on the server
sudo ssh-keygen -r $HOSTNAME.$DOMAIN.rwth-aachen.deremote(via grabsshfp.sh)
/grabsshfp.sh $HOSTNAME.$DOMAIN.rwth-aachen.de
- Consider SSHFP when establishing a connection
per request
ssh -o VerifyHostKeyDNS=yes -l $USER $HOSTNAME.$DOMAIN.rwth-aachen.dessh -o FingerprintHash=sha256 -o VerifyHostKeyDNS=yes -l $USER $HOSTNAME.$DOMAIN.rwth-aachen.degloabe SSH Client Configuration (all SSH connections from one computer, see "Hostname canonicalisation in OpenSSH)
/etc/ssh/ssh_configCanonicalizeHostname yes CanonicalDomains $DOMAIN.rwth-aachen.de CanonicalizeMaxDots 0 CanonicalizeFallbackLocal no VerifyHostKeyDNS yes
Additional information:
- Questions and suggestions can be addressed to ca@rwth-aachen.de or hostmaster@rwth-aachen.de.
