How to add CAA record to Azure DNS in 4 simple steps

How to add CAA record to Azure DNS in 4 simple steps

In this tutorial we will see how to add CAA record to Azure DNS. Azure does not have a straight forward way to add CAA record using GUI front as of 2020. This needs to be manually added using PowerShell scripts by accessing Microsoft Azure Cloud Shell.

Before you proceed, you must ensure you have access to the Microsoft Azure Cloud Shell. If you want to see how to access Microsoft Azure Cloud Shell, you can look at this video on How to access terminal of Virtual Machine using Cloud Shell in Azure. Launch the Cloud Shell and keep it ready to start executing the commands in the steps mentioned below.

Steps to Add CAA record to Azure DNS

CAA Record is the Certification Authority Authorization record, used to specify which Certificate Authorities are allowed to issue certificates for a domain.

digicert.com and letsencrypt.com are few of the many other Certificate Authorities available.

We will see how to add digicert.com as the certificate authority to our DNS Zone created in Azure.

Launch Azure Cloud Shell. If Bash is selected as default Switch to PowerShell

1 Obtain the Subscription Id

Type the following command to list the subscriptions associated with your account

Get-AzureRmSubscription

You will see something like below depending on the number of subscriptions you are associated with

Name Id TenantId State
Visual Studio Enterprise xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Enabled
Visual Studio Premium with MSDN xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Enabled

In the above table Id columns holds the subscription id.

Set the Azure Context to the corresponding Visual Studio Subscription where the DNS is created.

Set-AzureRmContext -SubscriptionId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Ensure to replace the xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx with your subscription id.

2 List the DNS Zones

Type the following command to list the DNS Zones

Get-AzureRmDnsZone

Output:

Tag Value
Name : example1.com
ResourceGroupName : example1-rg
Etag : 00000002-0000-0000-xxxx-xxxxxxxxxxxx
Tags : {}
NameServers : {ns1-01.azure-dns.com., ns2-01.azure-dns.net., ns3-01.azure-dns.org., ns4-01.azure-dns.info.}
ZoneType : Public
RegistrationVirtualNetworkIds : {}
ResolutionVirtualNetworkIds : {}
NumberOfRecordSets : 3
MaxNumberOfRecordSets : 10000
Name : example2.com
Etag : 00000002-0000-0000-xxxx-xxxxxxxxxxxx
Tags : {}
NameServers : {ns1-06.azure-dns.com., ns2-06.azure-dns.net., ns3-06.azure-dns.org., ns4-06.azure-dns.info.}
ZoneType : Public
RegistrationVirtualNetworkIds : {}
ResolutionVirtualNetworkIds : {}
NumberOfRecordSets : 5
MaxNumberOfRecordSets : 10000

Type following command to get specific DNS Zone based on Resource Group Name

Get-AzureRmDnsZone -ResourceGroupName example1-rg

List all the DNS Records of a Zone

Type the following command to list the DNS records of a DNS Zone

Get-AzureRmDnsRecordSet -ResourceGroupName example1-rg -ZoneName example1.com

Output:

Tag Value
Id : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example1-rg/providers/Microsoft.Network/dnszones/example1.com/A/@
Name : @
ZoneName : example1.com
ResourceGroupName : example1-rg
Ttl : 3600
Etag : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
RecordType : A
TargetResourceId :
Records : {11.11.111.11}
Metadata :
ProvisioningState : Succeeded
Id : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example1-rg/providers/Microsoft.Network/dnszones/example1.com/NS/@
Name : @
ZoneName : example1.com
ResourceGroupName : example1-rg
Ttl : 172800
Etag : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
RecordType : NS
TargetResourceId :
Records : {ns1-01.azure-dns.com., ns2-01.azure-dns.net., ns3-01.azure-dns.org., ns4-01.azure-dns.info.}
Metadata :
ProvisioningState : Succeeded
Id : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example1-rg/providers/Microsoft.Network/dnszones/example1.com/SOA/@
Name : @
ZoneName : example1.com
ResourceGroupName : example1-rg
Ttl : 3600
Etag : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
RecordType : SOA
TargetResourceId :
Records : {[ns1-01.azure-dns.com.,azuredns-hostmaster.microsoft.com,3600,300,2419200,300]}
Metadata :
ProvisioningState : Succeeded

3 List DNS Record of a DNS Zone based on Record Type

Type the following command to list the specific Record Type of a DNS Zone

Get-AzureRmDnsRecordSet -ResourceGroupName example1-rg -ZoneName example1.com -RecordType SOA

Output:

Tag Value
Id : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/example1-rg/providers/Microsoft.Network/dnszones/example1.com/SOA/@
Name : @
ZoneName : example1.com
ResourceGroupName : example1-rg
Ttl : 3600
Etag : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
RecordType : SOA
TargetResourceId :
Records : {[ns1-01.azure-dns.com.,azuredns-hostmaster.microsoft.com,3600,300,2419200,300]}
Metadata :
ProvisioningState : Succeeded

Add Custom Record Types to the Azure DNS Zone

We will add CAA Record Type to the Azure DNS Zone.

Declare variables for zonename, resourcegroup, certificateauthority and incidentreport.

$zonename = "example1.com"
$resourcegroup = "resourcegroup"
$certificateauthority = "digicert.com" # possible values are: letsencrypt.org, digicert.com $incidentreport = "you@example1.com" # This will be your personal email id where you want to receive alerts about the Cert incident reports.

Now build the command to add CAA Record Type in the addcaarecord variable

Command to Add CAA Record to Azure DNS

$addcaarecord = @()
$addcaarecord += New-AzDnsRecordConfig -Caaflags 0 -CaaTag "issue" -CaaValue $certificateauthority
$addcaarecord += New-AzDnsRecordConfig -Caaflags 0 -CaaTag "iodef" -CaaValue "mailto:$incidentreport"
New-AzDnsRecordSet -Name "@" -RecordType CAA -ZoneName $zoneName -ResourceGroupName $resourcegroup -Ttl 3600 -DnsRecords ($addcaarecord)

4 Verify CAA Record for DNS Zone

Verify CAA Record Type reflected in DNS Zone Records

To do this you can either go to DNS Zone and click on Refresh button in the overview to see the CAA Record or, visit dnsspy caa validator and enter your domain name to check the CAA record.

Leave a Reply

avatar
  Subscribe  
Notify of
Close Menu