2019-05-18 17:10:18 +02:00
---
2022-10-30 18:45:04 +01:00
name: CAA_BUILDER
parameters:
- label
- iodef
- iodef_critical
- issue
2023-12-18 15:35:10 +01:00
- issue_critical
2022-10-30 18:45:04 +01:00
- issuewild
2023-12-18 15:35:10 +01:00
- issuewild_critical
2023-01-12 16:59:42 -05:00
parameters_object: true
parameter_types:
label: string?
iodef: string
iodef_critical: boolean?
issue: string[]
2023-12-18 15:35:10 +01:00
issue_critical: boolean?
2023-12-13 13:51:23 -05:00
issuewild: string[]
2023-12-18 15:35:10 +01:00
issuewild_critical: boolean?
2019-05-18 17:10:18 +02:00
---
2022-10-30 13:56:45 -04:00
DNSControl contains a `CAA_BUILDER` which can be used to simply create
2024-04-09 20:26:45 +02:00
[`CAA()` ](../domain-modifiers/CAA.md ) records for your domains. Instead of creating each [`CAA()` ](../domain-modifiers/CAA.md ) record
2019-05-18 17:10:18 +02:00
individually, you can simply configure your report mail address, the
authorized certificate authorities and the builder cares about the rest.
## Example
2023-12-18 15:35:10 +01:00
### Simple example
2019-05-18 17:10:18 +02:00
2023-03-13 21:30:21 +01:00
{% code title="dnsconfig.js" %}
2023-01-20 13:56:20 +01:00
```javascript
2019-05-18 17:10:18 +02:00
CAA_BUILDER({
label: "@",
2023-06-17 14:58:17 +02:00
iodef: "mailto:test@example .com",
2019-05-18 17:10:18 +02:00
iodef_critical: true,
issue: [
"letsencrypt.org",
"comodoca.com",
],
issuewild: "none",
})
```
2023-03-13 21:30:21 +01:00
{% endcode %}
2019-05-18 17:10:18 +02:00
2023-12-18 15:35:10 +01:00
`CAA_BUILDER()` builds multiple records:
2019-05-18 17:10:18 +02:00
2023-03-13 21:30:21 +01:00
{% code title="dnsconfig.js" %}
2023-01-22 17:20:49 +01:00
```javascript
2023-06-17 14:58:17 +02:00
CAA("@", "iodef", "mailto:test@example .com", CAA_CRITICAL)
2023-01-22 17:20:49 +01:00
CAA("@", "issue", "letsencrypt.org")
CAA("@", "issue", "comodoca.com")
CAA("@", "issuewild", ";")
```
2023-03-13 21:30:21 +01:00
{% endcode %}
2023-12-18 15:35:10 +01:00
which in turns yield the following records:
```text
@ 300 IN CAA 128 iodef "mailto:test@example .com"
@ 300 IN CAA 0 issue "letsencrypt.org"
@ 300 IN CAA 0 issue "comodoca.com"
@ 300 IN CAA 0 issuewild ";"
```
### Example with CAA_CRITICAL flag on all records
The same example can be enriched with CAA_CRITICAL on all records:
{% code title="dnsconfig.js" %}
```javascript
CAA_BUILDER({
label: "@",
iodef: "mailto:test@example .com",
iodef_critical: true,
issue: [
"letsencrypt.org",
"comodoca.com",
],
issue_critical: true,
issuewild: "none",
issuewild_critical: true,
})
```
{% endcode %}
`CAA_BUILDER()` then builds (the same) multiple records - all with CAA_CRITICAL flag set:
{% code title="dnsconfig.js" %}
```javascript
CAA("@", "iodef", "mailto:test@example .com", CAA_CRITICAL)
CAA("@", "issue", "letsencrypt.org", CAA_CRITICAL)
CAA("@", "issue", "comodoca.com", CAA_CRITICAL)
CAA("@", "issuewild", ";", CAA_CRITICAL)
```
{% endcode %}
which in turns yield the following records:
```text
@ 300 IN CAA 128 iodef "mailto:test@example .com"
@ 300 IN CAA 128 issue "letsencrypt.org"
@ 300 IN CAA 128 issue "comodoca.com"
@ 300 IN CAA 128 issuewild ";"
```
### Parameters
* `label:` The label of the CAA record. (Optional. Default: `"@"` )
* `iodef:` Report all violation to configured mail address.
* `iodef_critical:` This can be `true` or `false` . If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false` )
* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
* `issue_critical:` This can be `true` or `false` . If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false` )
* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
* `issuewild_critical:` This can be `true` or `false` . If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false` )
