FEATURE: CAA_BUILDER: add issue_critical and issuewild_critical (#2728)

Co-authored-by: Tom Limoncelli <tlimoncelli@stackoverflow.com>
2024-05-11 05:55:12 +00:00 · 2023-12-18 15:35:10 +01:00
parent 36f6b19943
commit edf047102b
3 changed files with 84 additions and 15 deletions
--- a/commands/types/dnscontrol.d.ts
+++ b/commands/types/dnscontrol.d.ts
@ -398,7 +398,9 @@ declare function CAA(name: string, tag: "issue" | "issuewild" | "iodef", value:
 * * `iodef:` Report all violation to configured mail address.
 * * `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
 * * `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
+ * * `issue_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
 * * `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
+ * * `issuewild_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
 *
 * `CAA_BUILDER()` returns multiple records (when configured as example above):
 *
@ -411,7 +413,7 @@ declare function CAA(name: string, tag: "issue" | "issuewild" | "iodef", value:
 *
 * @see https://docs.dnscontrol.org/language-reference/domain-modifiers/caa_builder
 */
-declare function CAA_BUILDER(opts: { label?: string; iodef: string; iodef_critical?: boolean; issue: string[]; issuewild: string[] }): DomainModifier;
+declare function CAA_BUILDER(opts: { label?: string; iodef: string; iodef_critical?: boolean; issue: string[]; issue_critical?: boolean; issuewild: string[]; issuewild_critical?: boolean }): DomainModifier;

 /**
 * `CF_REDIRECT` uses Cloudflare-specific features ("Forwarding URL" Page Rules) to
--- a/documentation/functions/domain/CAA_BUILDER.md
+++ b/documentation/functions/domain/CAA_BUILDER.md
@ -5,14 +5,18 @@ parameters:
  - iodef
  - iodef_critical
  - issue
+  - issue_critical
  - issuewild
+  - issuewild_critical
 parameters_object: true
 parameter_types:
  label: string?
  iodef: string
  iodef_critical: boolean?
  issue: string[]
+  issue_critical: boolean?
  issuewild: string[]
+  issuewild_critical: boolean?
 ---

 DNSControl contains a `CAA_BUILDER` which can be used to simply create
@ -22,7 +26,7 @@ authorized certificate authorities and the builder cares about the rest.

 ## Example

-For example you can use:
+### Simple example

 {% code title="dnsconfig.js" %}
 ```javascript
@ -39,15 +43,7 @@ CAA_BUILDER({
 ```
 {% endcode %}

-The parameters are:
-
-* `label:` The label of the CAA record. (Optional. Default: `"@"`)
-* `iodef:` Report all violation to configured mail address.
-* `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
-* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
-* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
-
-`CAA_BUILDER()` returns multiple records (when configured as example above):
+`CAA_BUILDER()` builds multiple records:

 {% code title="dnsconfig.js" %}
 ```javascript
@ -57,3 +53,64 @@ CAA("@", "issue", "comodoca.com")
 CAA("@", "issuewild", ";")
 ```
 {% endcode %}
+
+which in turns yield the following records:
+
+```text
+@ 300 IN CAA 128 iodef "mailto:test@example.com"
+@ 300 IN CAA 0 issue "letsencrypt.org"
+@ 300 IN CAA 0 issue "comodoca.com"
+@ 300 IN CAA 0 issuewild ";"
+```
+
+### Example with CAA_CRITICAL flag on all records
+
+The same example can be enriched with CAA_CRITICAL on all records:
+
+{% code title="dnsconfig.js" %}
+```javascript
+CAA_BUILDER({
+  label: "@",
+  iodef: "mailto:test@example.com",
+  iodef_critical: true,
+  issue: [
+    "letsencrypt.org",
+    "comodoca.com",
+  ],
+  issue_critical: true,
+  issuewild: "none",
+  issuewild_critical: true,
+})
+```
+{% endcode %}
+
+`CAA_BUILDER()` then builds (the same) multiple records - all with CAA_CRITICAL flag set:
+
+{% code title="dnsconfig.js" %}
+```javascript
+CAA("@", "iodef", "mailto:test@example.com", CAA_CRITICAL)
+CAA("@", "issue", "letsencrypt.org", CAA_CRITICAL)
+CAA("@", "issue", "comodoca.com", CAA_CRITICAL)
+CAA("@", "issuewild", ";", CAA_CRITICAL)
+```
+{% endcode %}
+
+which in turns yield the following records:
+
+```text
+@ 300 IN CAA 128 iodef "mailto:test@example.com"
+@ 300 IN CAA 128 issue "letsencrypt.org"
+@ 300 IN CAA 128 issue "comodoca.com"
+@ 300 IN CAA 128 issuewild ";"
+```
+
+
+### Parameters
+
+* `label:` The label of the CAA record. (Optional. Default: `"@"`)
+* `iodef:` Report all violation to configured mail address.
+* `iodef_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
+* `issue:` An array of CAs which are allowed to issue certificates. (Use `"none"` to refuse all CAs)
+* `issue_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
+* `issuewild:` An array of CAs which are allowed to issue wildcard certificates. (Can be simply `"none"` to refuse issuing wildcard certificates for all CAs)
+* `issuewild_critical:` This can be `true` or `false`. If enabled and CA does not support this record, then certificate issue will be refused. (Optional. Default: `false`)
--- a/pkg/js/helpers.js
+++ b/pkg/js/helpers.js
@ -1478,13 +1478,23 @@ function CAA_BUILDER(value) {
        }
    }

-    if (value.issue)
+    if (value.issue) {
+        var flag = function() {};
+        if (value.issue_critical) {
+          flag = CAA_CRITICAL;
+        }
        for (var i = 0, len = value.issue.length; i < len; i++)
-            r.push(CAA(value.label, 'issue', value.issue[i]));
+            r.push(CAA(value.label, 'issue', value.issue[i], flag));
+    }

-    if (value.issuewild)
+    if (value.issuewild) {
+        var flag = function() {};
+        if (value.issuewild_critical) {
+          flag = CAA_CRITICAL;
+        }
        for (var i = 0, len = value.issuewild.length; i < len; i++)
-            r.push(CAA(value.label, 'issuewild', value.issuewild[i]));
+            r.push(CAA(value.label, 'issuewild', value.issuewild[i], flag));
+    }

    return r;
 }