How to add CAA record to Azure DNS in 4 simple steps

In this tutorial we will see how to add CAA record to Azure DNS. Azure does not have a straight forward way to add CAA record using GUI front as of 2020. This needs to be manually added using PowerShell scripts by accessing Microsoft Azure Cloud Shell.

Adding CAA record to Azure DNS Zone – TutLinks
Adding CAA record to Azure DNS Zone – TutLinks

Before you proceed, you must ensure you have access to the Microsoft Azure Cloud Shell. If you want to see how to access Microsoft Azure Cloud Shell, you can look at this video on How to access terminal of Virtual Machine using Cloud Shell in Azure. Launch the Cloud Shell and keep it ready to start executing the commands in the steps mentioned below.

Table of Contents

Steps to Add CAA record to Azure DNS

CAA Record is the Certification Authority Authorization record, used to specify which Certificate Authorities are allowed to issue certificates for a domain.

digicert.com and letsencrypt.com are few of the many other Certificate Authorities available.

We will see how to add digicert.com as the certificate authority to our DNS Zone created in Azure.

Launch Azure Cloud Shell. If Bash is selected as default Switch to PowerShell

Step 1 Obtain the Subscription Id

Type the following command to list the subscriptions associated with your account

Get-AzureRmSubscription

You will see something like below depending on the number of subscriptions you are associated with

NameIdTenantIdState
Visual Studio Enterprisexxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxEnabled
Visual Studio Premium with MSDNxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxEnabled

In the above table Id columns holds the subscription id.

Set the Azure Context to the corresponding Visual Studio Subscription where the DNS is created.

Set-AzureRmContext -SubscriptionId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Step 2 List the DNS Zones

Type the following command to list the DNS Zones

Get-AzureRmDnsZone

Output:

TagValue
Name: example1.com
ResourceGroupName: example1-rg
Etag: 00000002-0000-0000-xxxx-xxxxxxxxxxxx
Tags: {}
NameServers: {ns1-01.azure-dns.com., ns2-01.azure-dns.net., ns3-01.azure-dns.org., ns4-01.azure-dns.info.}
ZoneType: Public
RegistrationVirtualNetworkIds: {}
ResolutionVirtualNetworkIds: {}
NumberOfRecordSets: 3
MaxNumberOfRecordSets: 10000
Name: example2.com
Etag: 00000002-0000-0000-xxxx-xxxxxxxxxxxx
Tags: {}
NameServers: {ns1-06.azure-dns.com., ns2-06.azure-dns.net., ns3-06.azure-dns.org., ns4-06.azure-dns.info.}
ZoneType: Public
RegistrationVirtualNetworkIds: {}
ResolutionVirtualNetworkIds: {}
NumberOfRecordSets: 5
MaxNumberOfRecordSets: 10000

Type following command to get specific DNS Zone based on Resource Group Name

Get-AzureRmDnsZone -ResourceGroupName mfrepublic-rg

List all the DNS Records of a Zone

Type the following command to list the DNS records of a DNS Zone

Get-AzureRmDnsRecordSet -ResourceGroupName example1-rg -ZoneName example1.com

Output:

TagValue
Id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example1-rg/providers/Microsoft.Network/dnszones/example1.com/A/@
Name: @
ZoneName: example1.com
ResourceGroupName: example1-rg
Ttl: 3600
Etag: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
RecordType: A
TargetResourceId:
Records: {11.11.111.11}
Metadata:
ProvisioningState: Succeeded

| Id | : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example1-rg/providers/Microsoft.Network/dnszones/example1.com/NS/@ Name | : @ ZoneName | : example1.com ResourceGroupName | : example1-rg Ttl | : 172800 Etag | : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx RecordType | : NS TargetResourceId | : Records | : {ns1-01.azure-dns.com., ns2-01.azure-dns.net., ns3-01.azure-dns.org., ns4-01.azure-dns.info.} Metadata | : ProvisioningState | : Succeeded | Id | : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example1-rg/providers/Microsoft.Network/dnszones/example1.com/SOA/@ Name | : @ ZoneName | : example1.com ResourceGroupName | : example1-rg Ttl | : 3600 Etag | : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx RecordType | : SOA TargetResourceId | : Records | : {[ns1-01.azure-dns.com.,azuredns-hostmaster.microsoft.com,3600,300,2419200,300]} Metadata | : ProvisioningState | : Succeeded

Step 3 List DNS Record of a DNS Zone based on Record Type

Type the following command to list the specific Record Type of a DNS Zone

Get-AzureRmDnsRecordSet -ResourceGroupName example1-rg -ZoneName example1.com -RecordType SOA

Output:

TagValue
Id: /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example1-rg/providers/Microsoft.Network/dnszones/example1.com/SOA/@
Name: @
ZoneName: example1.com
ResourceGroupName: example1-rg
Ttl: 3600
Etag: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
RecordType: SOA
TargetResourceId:
Records: {[ns1-01.azure-dns.com.,azuredns-hostmaster.microsoft.com,3600,300,2419200,300]}
Metadata:
ProvisioningState: Succeeded

Add Custom Record Types to the Azure DNS Zone

We will add CAA Record Type to the Azure DNS Zone.

Declare variables for zonenameresourcegroupcertificateauthority and incidentreport.

$zonename = "example1.com"
$resourcegroup = "resourcegroup"
$certificateauthority = "digicert.com" # possible values are: `letsencrypt.org`, `digicert.com`
$incidentreport = "[email protected]" # This will be your personal email id where you want to receive alerts about the Cert incident reports.

Now build the command to add CAA Record Type in the addcaarecord variable

Command to Add CAA Record to Azure DNS

$addcaarecord = @()
$addcaarecord += New-AzDnsRecordConfig -Caaflags 0 -CaaTag "issue" -CaaValue $certificateauthority
$addcaarecord += New-AzDnsRecordConfig -Caaflags 0 -CaaTag "iodef" -CaaValue "mailto:$incidentreport"
New-AzDnsRecordSet -Name "@" -RecordType CAA -ZoneName $zoneName -ResourceGroupName $resourcegroup -Ttl 3600 -DnsRecords ($addcaarecord)

Step 4 Verify CAA Record for DNS Zone

Verify CAA Record Type reflected in DNS Zone Records

To do this you can either go to DNS Zone and click on Refresh button in the overview to see the CAA Record or, visit dnsspy caa validator and enter your domain name to check the CAA record.

Navule Pavan Kumar Rao

I am a Full Stack Software Engineer with the Product Development experience in Banking, Finance, Corporate Tax and Automobile domains. I use SOLID Programming Principles and Design Patterns and Architect Software Solutions that scale using C#, .NET, Python, PHP and TDD. I am an expert in deployment of the Software Applications to Cloud Platforms such as Azure, GCP and non cloud On-Premise Infrastructures using shell scripts that become a part of CI/CD. I pursued Executive M.Tech in Data Science from IIT, Hyderabad (Indian Institute of Technology, Hyderabad) and hold B.Tech in Electonics and Communications Engineering from Vaagdevi Institute of Technology & Science.

Leave a Reply