CAA records are not compatible with Bind 9.9.5 on Debian 8

Hi, I know Debian 8 is enter in its end of life, but, maybe, to know this can be useful for you.
Virtualmin create a CAA record on DNS when a let's encrypt certificated is renewed. I think it started with Virtualmin 6.09.
That record is created with the following syntax:

@ IN CAA 0 issuewild letsencrypt.org

But it is only compatible with BIND ≥ 9.9.6, and Debian 8 has BIND 9.9.5.

For BIND < 9.9.6 the syntax is for Legacy Zone File (RFC 3597)

foo.org. IN TYPE257 # 22 000569737375656C657473656E63727970742E6F7267
foo.org. IN TYPE257 # 18 000569737375657365637469676F2E636F6D

Tested with the following versions:
Debian 8.11
webmin-virtual-server 6.09-3 Pro and 6.09.gpl
webmin 1.942
bind 9.9.5.dfsg-9+deb8u18

Status: 
Fixed (pending)

Comments

Do the older BIND versions completely fail to read the zone file if a CAA record exists? Or do they just skip it..

Bind 9.9.5 completely fails to load the entire zone

15-May-2020 13:51:45.100 /etc/bind/example.com.hosts:34: unknown RR type 'CAA'
15-May-2020 13:51:45.101 zone example.com/IN: loading from master file /etc/bind/example.com.hosts failed: unknown class/type
15-May-2020 13:51:45.101 zone example.com/IN: not loaded due to errors.

and any record doesn't resolve, the entire zone doesn't work

Ok - the next Virtualmin release won't add CAA records for older BIND releases than 9.9.6.

I have older system with Bind 9.8.1, also having this issue. After let's encrypt certificate is renewed, I have to manually remove CAA record, that was added by Virtualmin 6.09-3 Pro. Hope new Virtualmin version will be reelased soon :)

Virtualmin 6.10 should be out now, and doesn't add CAA records for older BIND versions anymore.

Hi i've also just had this issue today with BIND 9.10.3-P4-Ubuntu and also on Debian with BIND 9.9.5-9+deb8u19-Debian (Extended Support Version)

Can we please not have these CAA records in the future on any versions if they may break things?

Ilia's picture
Submitted by Ilia on Fri, 07/17/2020 - 07:34

Auch. There was a bug which is scheduled to be fixed in small Virtualmin release.

Can we please not have these CAA records in the future on any versions if they may break things?

It should break with BIND version prior to 9.9.6 but not with 9.10.3.