In this tutorial we will see how to add CAA record to Azure DNS. Azure does not have a straight forward way to add CAA record using GUI front as of 2020. This needs to be manually added using PowerShell scripts by accessing Microsoft Azure Cloud Shell.
Before you proceed, you must ensure you have access to the Microsoft Azure Cloud Shell. If you want to see how to access Microsoft Azure Cloud Shell, you can look at this video on How to access terminal of Virtual Machine using Cloud Shell in Azure. Launch the Cloud Shell and keep it ready to start executing the commands in the steps mentioned below.
Table of Contents
- Steps to Add CAA record to Azure DNS
- Step 1 Obtain the Subscription Id
- Step 2 List the DNS Zones
- Step 3 List DNS Record of a DNS Zone based on Record Type
- Step 4 Verify CAA Record for DNS Zone
Steps to Add CAA record to Azure DNS
CAA Record is the Certification Authority Authorization record, used to specify which Certificate Authorities are allowed to issue certificates for a domain.
digicert.com and letsencrypt.com are few of the many other Certificate Authorities available.
We will see how to add digicert.com as the certificate authority to our DNS Zone created in Azure.
Launch Azure Cloud Shell. If Bash is selected as default Switch to PowerShell
Step 1 Obtain the Subscription Id
Type the following command to list the subscriptions associated with your account
Get-AzureRmSubscription
You will see something like below depending on the number of subscriptions you are associated with
| Name | Id | TenantId | State |
|---|---|---|---|
| Visual Studio Enterprise | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | Enabled |
| Visual Studio Premium with MSDN | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx | Enabled |
In the above table Id columns holds the subscription id.
Set the Azure Context to the corresponding Visual Studio Subscription where the DNS is created.
Set-AzureRmContext -SubscriptionId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Step 2 List the DNS Zones
Type the following command to list the DNS Zones
Get-AzureRmDnsZone
Output:
| Tag | Value |
|---|---|
| Name | : example1.com |
| ResourceGroupName | : example1-rg |
| Etag | : 00000002-0000-0000-xxxx-xxxxxxxxxxxx |
| Tags | : {} |
| NameServers | : {ns1-01.azure-dns.com., ns2-01.azure-dns.net., ns3-01.azure-dns.org., ns4-01.azure-dns.info.} |
| ZoneType | : Public |
| RegistrationVirtualNetworkIds | : {} |
| ResolutionVirtualNetworkIds | : {} |
| NumberOfRecordSets | : 3 |
| MaxNumberOfRecordSets | : 10000 |
| — | — |
| Name | : example2.com |
| Etag | : 00000002-0000-0000-xxxx-xxxxxxxxxxxx |
| Tags | : {} |
| NameServers | : {ns1-06.azure-dns.com., ns2-06.azure-dns.net., ns3-06.azure-dns.org., ns4-06.azure-dns.info.} |
| ZoneType | : Public |
| RegistrationVirtualNetworkIds | : {} |
| ResolutionVirtualNetworkIds | : {} |
| NumberOfRecordSets | : 5 |
| MaxNumberOfRecordSets | : 10000 |
Type following command to get specific DNS Zone based on Resource Group Name
Get-AzureRmDnsZone -ResourceGroupName mfrepublic-rg
List all the DNS Records of a Zone
Type the following command to list the DNS records of a DNS Zone
Get-AzureRmDnsRecordSet -ResourceGroupName example1-rg -ZoneName example1.com
Output:
| Tag | Value |
|---|---|
| Id | : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example1-rg/providers/Microsoft.Network/dnszones/example1.com/A/@ |
| Name | : @ |
| ZoneName | : example1.com |
| ResourceGroupName | : example1-rg |
| Ttl | : 3600 |
| Etag | : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| RecordType | : A |
| TargetResourceId | : |
| Records | : {11.11.111.11} |
| Metadata | : |
| ProvisioningState | : Succeeded |
| Id | : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example1-rg/providers/Microsoft.Network/dnszones/example1.com/NS/@ Name | : @ ZoneName | : example1.com ResourceGroupName | : example1-rg Ttl | : 172800 Etag | : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx RecordType | : NS TargetResourceId | : Records | : {ns1-01.azure-dns.com., ns2-01.azure-dns.net., ns3-01.azure-dns.org., ns4-01.azure-dns.info.} Metadata | : ProvisioningState | : Succeeded | Id | : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example1-rg/providers/Microsoft.Network/dnszones/example1.com/SOA/@ Name | : @ ZoneName | : example1.com ResourceGroupName | : example1-rg Ttl | : 3600 Etag | : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx RecordType | : SOA TargetResourceId | : Records | : {[ns1-01.azure-dns.com.,azuredns-hostmaster.microsoft.com,3600,300,2419200,300]} Metadata | : ProvisioningState | : Succeeded
Step 3 List DNS Record of a DNS Zone based on Record Type
Type the following command to list the specific Record Type of a DNS Zone
Get-AzureRmDnsRecordSet -ResourceGroupName example1-rg -ZoneName example1.com -RecordType SOA
Output:
| Tag | Value |
|---|---|
| Id | : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example1-rg/providers/Microsoft.Network/dnszones/example1.com/SOA/@ |
| Name | : @ |
| ZoneName | : example1.com |
| ResourceGroupName | : example1-rg |
| Ttl | : 3600 |
| Etag | : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| RecordType | : SOA |
| TargetResourceId | : |
| Records | : {[ns1-01.azure-dns.com.,azuredns-hostmaster.microsoft.com,3600,300,2419200,300]} |
| Metadata | : |
| ProvisioningState | : Succeeded |
Add Custom Record Types to the Azure DNS Zone
We will add CAA Record Type to the Azure DNS Zone.
Declare variables for zonename, resourcegroup, certificateauthority and incidentreport.
$zonename = "example1.com" $resourcegroup = "resourcegroup" $certificateauthority = "digicert.com" # possible values are: `letsencrypt.org`, `digicert.com` $incidentreport = "[email protected]" # This will be your personal email id where you want to receive alerts about the Cert incident reports.
Now build the command to add CAA Record Type in the addcaarecord variable
Command to Add CAA Record to Azure DNS
$addcaarecord = @() $addcaarecord += New-AzDnsRecordConfig -Caaflags 0 -CaaTag "issue" -CaaValue $certificateauthority $addcaarecord += New-AzDnsRecordConfig -Caaflags 0 -CaaTag "iodef" -CaaValue "mailto:$incidentreport" New-AzDnsRecordSet -Name "@" -RecordType CAA -ZoneName $zoneName -ResourceGroupName $resourcegroup -Ttl 3600 -DnsRecords ($addcaarecord)
Step 4 Verify CAA Record for DNS Zone
Verify CAA Record Type reflected in DNS Zone Records
To do this you can either go to DNS Zone and click on Refresh button in the overview to see the CAA Record or, visit dnsspy caa validator and enter your domain name to check the CAA record.
