Domain Connect Deploy
Domain Connect Deploy
Section titled “Domain Connect Deploy”Good Roots Work acts as a Domain Connect service provider (SP). When you deploy a policy, you authorize your DNS provider to apply CAA record changes defined by our template.
Template
Section titled “Template”| Field | Value |
|---|---|
| Provider ID | goodroots.work |
| Service ID | caa_management |
| Version | 2 |
| Sync public key domain | caa.goodroots.work |
| DNS pubkey host | _dnspub.caa.goodroots.work |
The template supports up to 16 CAA record slots per apply URL using numbered variables (flags0, tag0, value0, …).
Prerequisites
Section titled “Prerequisites”- Domain Connect at your zone — the authoritative zone must publish
_domainconnectTXT (Cloudflare zones do this automatically). - Template onboarding — your DNS provider must recognize template
goodroots.work.caa_management(Cloudflare requires SP onboarding). - Signing — apply URLs are digitally signed; the public key is published in DNS at
_dnspub.caa.goodroots.work.
Good Roots Work does not host your DNS. You approve changes through your provider’s Domain Connect interface.
User flow
Section titled “User flow”- Open CAA Policy Management and analyze your domain.
- Edit the policy (add/remove issue, issuewild, or iodef entries).
- Click Deploy when Domain Connect is supported for the zone.
- The tool calls
POST /api/v1/caa/deployand redirects you to your DNS provider (e.g. Cloudflare Dashboard). - Approve the change in the provider UI.
- You are returned to
https://goodroots.work/tools/caa/management?domain=…&dc=complete— re-analyze to confirm DNS updates.
If automated deploy is unavailable, use the manual DNS instructions panel in the tool.
Cloudflare
Section titled “Cloudflare”Cloudflare uses a synchronous signed flow:
- Discovery TXT:
api.cloudflare.com/client/v4/dns/domainconnect - Settings API resolves
urlSyncUX→https://dash.cloudflare.com/domainconnect - Apply URL pattern:
{urlSyncUX}/v2/domainTemplates/providers/goodroots.work/services/caa_management/apply?…
Cloudflare ignores template multiInstance; the v2 template uses numbered slots and groupId instead.
What changes in DNS
Section titled “What changes in DNS”Only CAA records at the zone apex (@) are modified, matching the slots populated in your edited policy. TTL defaults to 300 seconds per the template.
Support
Section titled “Support”Questions about Domain Connect onboarding or the deploy flow: contact support at support@goodroots.work.