From edf047102b109ca520e8d3697d84b8c27135fba4 Mon Sep 17 00:00:00 2001
From: llange <llange@users.noreply.github.com>
Date: Mon, 18 Dec 2023 15:35:10 +0100
Subject: [PATCH] FEATURE: CAA_BUILDER: add `issue_critical` and
 `issuewild_critical` (#2728)

Co-authored-by: Tom Limoncelli <tlimoncelli@stackoverflow.com>
---
 commands/types/dnscontrol.d.ts                |  4 +-
 documentation/functions/domain/CAA_BUILDER.md | 77 ++++++++++++++++---
 pkg/js/helpers.js                             | 18 ++++-
 3 files changed, 84 insertions(+), 15 deletions(-)

diff --git a/commands/types/dnscontrol.d.ts b/commands/types/dnscontrol.d.ts
index 9cacc652d..6c0f86a39 100644
--- a/commands/types/dnscontrol.d.ts
+++ b/commands/types/dnscontrol.d.ts
@@ -398,7 +398,9 @@ declare function CAA(name: string, tag: "issue" | "issuewild" | "iodef", value:
  * * `iodef:` Report all violation to configured mail address.
  * * `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
  * * `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
+ * * `issue_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
  * * `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
+ * * `issuewild_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
  *
  * `CAA_BUILDER()` returns multiple records (when configured as example above):
  *
@@ -411,7 +413,7 @@ declare function CAA(name: string, tag: "issue" | "issuewild" | "iodef", value:
  *
  * @see https://docs.dnscontrol.org/language-reference/domain-modifiers/caa_builder
  */
-declare function CAA_BUILDER(opts: { label?: string; iodef: string; iodef_critical?: boolean; issue: string[]; issuewild: string[] }): DomainModifier;
+declare function CAA_BUILDER(opts: { label?: string; iodef: string; iodef_critical?: boolean; issue: string[]; issue_critical?: boolean; issuewild: string[]; issuewild_critical?: boolean }): DomainModifier;
 
 /**
  * `CF_REDIRECT` uses Cloudflare-specific features ("Forwarding URL" Page Rules) to
diff --git a/documentation/functions/domain/CAA_BUILDER.md b/documentation/functions/domain/CAA_BUILDER.md
index 8e7c445e3..d3f928038 100644
--- a/documentation/functions/domain/CAA_BUILDER.md
+++ b/documentation/functions/domain/CAA_BUILDER.md
@@ -5,14 +5,18 @@ parameters:
   - iodef
   - iodef_critical
   - issue
+  - issue_critical
   - issuewild
+  - issuewild_critical
 parameters_object: true
 parameter_types:
   label: string?
   iodef: string
   iodef_critical: boolean?
   issue: string[]
+  issue_critical: boolean?
   issuewild: string[]
+  issuewild_critical: boolean?
 ---
 
 DNSControl contains a `CAA_BUILDER` which can be used to simply create
@@ -22,7 +26,7 @@ authorized certificate authorities and the builder cares about the rest.
 
 ## Example
 
-For example you can use:
+### Simple example
 
 {% code title="dnsconfig.js" %}
 ```javascript
@@ -39,15 +43,7 @@ CAA_BUILDER({
 ```
 {% endcode %}
 
-The parameters are:
-
-* `label:` The label of the CAA record. (Optional. Default: `"@"`)
-* `iodef:` Report all violation to configured mail address.
-* `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
-* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
-* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
-
-`CAA_BUILDER()` returns multiple records (when configured as example above):
+`CAA_BUILDER()` builds multiple records:
 
 {% code title="dnsconfig.js" %}
 ```javascript
@@ -57,3 +53,64 @@ CAA("@", "issue", "comodoca.com")
 CAA("@", "issuewild", ";")
 ```
 {% endcode %}
+
+which in turns yield the following records:
+
+```text
+@ 300 IN CAA 128 iodef "mailto:test@example.com"
+@ 300 IN CAA 0 issue "letsencrypt.org"
+@ 300 IN CAA 0 issue "comodoca.com"
+@ 300 IN CAA 0 issuewild ";"
+```
+
+### Example with CAA_CRITICAL flag on all records
+
+The same example can be enriched with CAA_CRITICAL on all records:
+
+{% code title="dnsconfig.js" %}
+```javascript
+CAA_BUILDER({
+  label: "@",
+  iodef: "mailto:test@example.com",
+  iodef_critical: true,
+  issue: [
+    "letsencrypt.org",
+    "comodoca.com",
+  ],
+  issue_critical: true,
+  issuewild: "none",
+  issuewild_critical: true,
+})
+```
+{% endcode %}
+
+`CAA_BUILDER()` then builds (the same) multiple records - all with CAA_CRITICAL flag set:
+
+{% code title="dnsconfig.js" %}
+```javascript
+CAA("@", "iodef", "mailto:test@example.com", CAA_CRITICAL)
+CAA("@", "issue", "letsencrypt.org", CAA_CRITICAL)
+CAA("@", "issue", "comodoca.com", CAA_CRITICAL)
+CAA("@", "issuewild", ";", CAA_CRITICAL)
+```
+{% endcode %}
+
+which in turns yield the following records:
+
+```text
+@ 300 IN CAA 128 iodef "mailto:test@example.com"
+@ 300 IN CAA 128 issue "letsencrypt.org"
+@ 300 IN CAA 128 issue "comodoca.com"
+@ 300 IN CAA 128 issuewild ";"
+```
+
+
+### Parameters
+
+* `label:` The label of the CAA record. (Optional. Default: `"@"`)
+* `iodef:` Report all violation to configured mail address.
+* `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
+* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
+* `issue_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
+* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
+* `issuewild_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
diff --git a/pkg/js/helpers.js b/pkg/js/helpers.js
index e28957962..05dcef9ee 100644
--- a/pkg/js/helpers.js
+++ b/pkg/js/helpers.js
@@ -1478,13 +1478,23 @@ function CAA_BUILDER(value) {
         }
     }
 
-    if (value.issue)
+    if (value.issue) {
+        var flag = function() {};
+        if (value.issue_critical) {
+          flag = CAA_CRITICAL;
+        }
         for (var i = 0, len = value.issue.length; i < len; i++)
-            r.push(CAA(value.label, 'issue', value.issue[i]));
+            r.push(CAA(value.label, 'issue', value.issue[i], flag));
+    }
 
-    if (value.issuewild)
+    if (value.issuewild) {
+        var flag = function() {};
+        if (value.issuewild_critical) {
+          flag = CAA_CRITICAL;
+        }
         for (var i = 0, len = value.issuewild.length; i < len; i++)
-            r.push(CAA(value.label, 'issuewild', value.issuewild[i]));
+            r.push(CAA(value.label, 'issuewild', value.issuewild[i], flag));
+    }
 
     return r;
 }