[akerl_]

Am I understanding correctly that these new fields must be included as part of the "issue" record, not as a record of its own? Right now, I have:

===

# dig CAA hass.a-rwx.org +short

0 iodef "mailto:admin@lesaker.org"

0 issue "letsencrypt.org"

0 issuewild ";"

===

Can I add an additional TXT record for "validationmethods=dns-01", or do I need to append it to the "issue" record?

[hlandau]

The way this works is, the part of a CAA record in quotes can have parameters added to it. These have been little used until now so many may not be familiar with this syntax but it's always been in the CAA spec. The examples at the end of the linked RFC are accurate.

For example:

;; Must match account URI

example.com. IN CAA 0 issue "letsencrypt.org; accounturi=https://some/acme/account/uri"

;; Must match account URI -OR- use dns-01 validation method

example.com. IN CAA 0 issue "letsencrypt.org; accounturi=https://some/acme/account/uri"

example.com. IN CAA 0 issue "letsencrypt.org; validationmethods=dns-01"

;; Must match account URI -AND- use dns-01 validation method

example.com. IN CAA 0 issue "letsencrypt.org; validationmethods=dns-01; accounturi=https://some/acme/account/uri"

I also just put up an article with some more explanation: https://www.devever.net/~hl/acme-caa-live

[akerl_]

Ah wow, I did not catch that the parameters go inside the quoted issue string. My brain misread the examples as `issue "example.org"; validationmethods=dns-01`.

Thanks for the clarification!