- You should point to valid source of certificates - "issue" prefix for DNS record, for example if Your internal PKI is from pki.internal.contoso.com you should place record issueinternal.contoso.com or issuecontoso.com; this will cover also wildcard certificates;
- If You don't want to allow wildcards You should place another DNS record with empty source record like "issuewild;" - allowed entries is empty;
- binary representation of DNS record contains first byte equal zero (the higest bit has critical meaning, rest is not used now), next byte value 5, rest of record is a string data, e.g. "<00><05>issuewild;"
- binary representation must be located in DNS record of Type257
2025-07-21
DNS CAA proper internal configuration
What is a valid configuration of internal CAA records (internal - not visible in Internet) on Windows DNS servers:
Subskrybuj:
Komentarze do posta (Atom)
Brak komentarzy:
Prześlij komentarz