I wanted to understand if CAA query is run every time we make changes to our certificate like addition or removal of hostnames. For example, if we add a SAN example.com, is the CAA query ran on all the other hostnames for that certificate or only for the domain example.com?
If not, is the CAA query ran only for renewal of the certificate or when we add a new SAN that was never live with the given certificate. Any feedback will be appreciated.
If your ACME client is reusing cached authorizations, then you only have to complete the authorization process for newly-added names, assuming that you have issued the original certificate during the past 7 days. In that case, the likely answer is that the CAA query will only be re-run for names that you didn’t previously issue certificates for during the past 7 days.
However, not every ACME client necessarily knows how to reuse authorizations.
It’s worth noting that this behaviour is going to change at some point before September 8th. The current plan seems to be to re-check CAA if the last check was performed more than 8 hours ago. This is being tracked in this issue: