From edf047102b109ca520e8d3697d84b8c27135fba4 Mon Sep 17 00:00:00 2001 From: llange Date: Mon, 18 Dec 2023 15:35:10 +0100 Subject: [PATCH] FEATURE: CAA_BUILDER: add `issue_critical` and `issuewild_critical` (#2728) Co-authored-by: Tom Limoncelli --- commands/types/dnscontrol.d.ts | 4 +- documentation/functions/domain/CAA_BUILDER.md | 77 ++++++++++++++++--- pkg/js/helpers.js | 18 ++++- 3 files changed, 84 insertions(+), 15 deletions(-) diff --git a/commands/types/dnscontrol.d.ts b/commands/types/dnscontrol.d.ts index 9cacc652d..6c0f86a39 100644 --- a/commands/types/dnscontrol.d.ts +++ b/commands/types/dnscontrol.d.ts @@ -398,7 +398,9 @@ declare function CAA(name: string, tag: "issue" | "issuewild" | "iodef", value: * * `iodef:` Report all violation to configured mail address. * * `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`) * * `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs) + * * `issue_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`) * * `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs) + * * `issuewild_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`) * * `CAA_BUILDER()` returns multiple records (when configured as example above): * @@ -411,7 +413,7 @@ declare function CAA(name: string, tag: "issue" | "issuewild" | "iodef", value: * * @see https://docs.dnscontrol.org/language-reference/domain-modifiers/caa_builder */ -declare function CAA_BUILDER(opts: { label?: string; iodef: string; iodef_critical?: boolean; issue: string[]; issuewild: string[] }): DomainModifier; +declare function CAA_BUILDER(opts: { label?: string; iodef: string; iodef_critical?: boolean; issue: string[]; issue_critical?: boolean; issuewild: string[]; issuewild_critical?: boolean }): DomainModifier; /** * `CF_REDIRECT` uses Cloudflare-specific features ("Forwarding URL" Page Rules) to diff --git a/documentation/functions/domain/CAA_BUILDER.md b/documentation/functions/domain/CAA_BUILDER.md index 8e7c445e3..d3f928038 100644 --- a/documentation/functions/domain/CAA_BUILDER.md +++ b/documentation/functions/domain/CAA_BUILDER.md @@ -5,14 +5,18 @@ parameters: - iodef - iodef_critical - issue + - issue_critical - issuewild + - issuewild_critical parameters_object: true parameter_types: label: string? iodef: string iodef_critical: boolean? issue: string[] + issue_critical: boolean? issuewild: string[] + issuewild_critical: boolean? --- DNSControl contains a `CAA_BUILDER` which can be used to simply create @@ -22,7 +26,7 @@ authorized certificate authorities and the builder cares about the rest. ## Example -For example you can use: +### Simple example {% code title="dnsconfig.js" %} ```javascript @@ -39,15 +43,7 @@ CAA_BUILDER({ ``` {% endcode %} -The parameters are: - -* `label:` The label of the CAA record. (Optional. Default: `"@"`) -* `iodef:` Report all violation to configured mail address. -* `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`) -* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs) -* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs) - -`CAA_BUILDER()` returns multiple records (when configured as example above): +`CAA_BUILDER()` builds multiple records: {% code title="dnsconfig.js" %} ```javascript @@ -57,3 +53,64 @@ CAA("@", "issue", "comodoca.com") CAA("@", "issuewild", ";") ``` {% endcode %} + +which in turns yield the following records: + +```text +@ 300 IN CAA 128 iodef "mailto:test@example.com" +@ 300 IN CAA 0 issue "letsencrypt.org" +@ 300 IN CAA 0 issue "comodoca.com" +@ 300 IN CAA 0 issuewild ";" +``` + +### Example with CAA_CRITICAL flag on all records + +The same example can be enriched with CAA_CRITICAL on all records: + +{% code title="dnsconfig.js" %} +```javascript +CAA_BUILDER({ + label: "@", + iodef: "mailto:test@example.com", + iodef_critical: true, + issue: [ + "letsencrypt.org", + "comodoca.com", + ], + issue_critical: true, + issuewild: "none", + issuewild_critical: true, +}) +``` +{% endcode %} + +`CAA_BUILDER()` then builds (the same) multiple records - all with CAA_CRITICAL flag set: + +{% code title="dnsconfig.js" %} +```javascript +CAA("@", "iodef", "mailto:test@example.com", CAA_CRITICAL) +CAA("@", "issue", "letsencrypt.org", CAA_CRITICAL) +CAA("@", "issue", "comodoca.com", CAA_CRITICAL) +CAA("@", "issuewild", ";", CAA_CRITICAL) +``` +{% endcode %} + +which in turns yield the following records: + +```text +@ 300 IN CAA 128 iodef "mailto:test@example.com" +@ 300 IN CAA 128 issue "letsencrypt.org" +@ 300 IN CAA 128 issue "comodoca.com" +@ 300 IN CAA 128 issuewild ";" +``` + + +### Parameters + +* `label:` The label of the CAA record. (Optional. Default: `"@"`) +* `iodef:` Report all violation to configured mail address. +* `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`) +* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs) +* `issue_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`) +* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs) +* `issuewild_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`) diff --git a/pkg/js/helpers.js b/pkg/js/helpers.js index e28957962..05dcef9ee 100644 --- a/pkg/js/helpers.js +++ b/pkg/js/helpers.js @@ -1478,13 +1478,23 @@ function CAA_BUILDER(value) { } } - if (value.issue) + if (value.issue) { + var flag = function() {}; + if (value.issue_critical) { + flag = CAA_CRITICAL; + } for (var i = 0, len = value.issue.length; i < len; i++) - r.push(CAA(value.label, 'issue', value.issue[i])); + r.push(CAA(value.label, 'issue', value.issue[i], flag)); + } - if (value.issuewild) + if (value.issuewild) { + var flag = function() {}; + if (value.issuewild_critical) { + flag = CAA_CRITICAL; + } for (var i = 0, len = value.issuewild.length; i < len; i++) - r.push(CAA(value.label, 'issuewild', value.issuewild[i])); + r.push(CAA(value.label, 'issuewild', value.issuewild[i], flag)); + } return r; }