Not a DNS expert, confused, so I figure I’ll ask for some assistance. We have the following DNS configuration to allow for ‘vanity’ URLs:
CNAME: sample1.<clientA>.com --> clientA.<our-domain>.com CNAME: clientA.<our-domain>.com --> <nlb-address>.amazonaws.com A: <nlb-address>.amazonaws.com --> <some-ips>
- Constraint; our ‘clientA’, has 2 CAA records in place for their domain “clientA.com”, one for wildcard and one for top domain.
- We use Let’s Encrypt to provide a cert for the domain “sample1.clientA.com”.
- We currently have no CAA records in place.
According to Let’s Encrypt (and RFC6844) docs it follows the CNAME when trying to issue a cert.
Therefor should we be configuring a CAA record on “our-domain.com” or should we be asking the client to configure an additional CAA record on their “clientA.com” domain, or maybe even “amazonaws.com” given the multiple CNAMEs?