CAA Question - issue / issuewild

Hi,

I have read through a lot of material but can't see a clear answer anywhere. I think to understand CAA fully you have to read a lot of RFC material. Question:

If I wanted to allow absolutely all certificates to be issued for example.com from both LetsEncrypt & Digicert do I need both 'issue' and 'issuewild' records for both LetsEncrypt & Digicert? I.e.

example.com 0 issue letsencrypt.org
example.com 0 issuewild letsencrypt.org
example.com 0 issue digicert.com
example.com 0 issuewild digicert.com

Some reference material I'm finding seems to suggest 'issue' allows for both wildcard and non-wildcard certificates to be issued?

Would the CAA setup above allow certificates to be issued / validated for "example.com", "wildcard.example.com", "subdomain.example.com" & "subdomain.subdomain.example.com", "wildcard.subdomain.example.com"

Many thanks.

yes. unless you override it with a more specific CAA record on a subdomain.

Also yes. If you want to forbid wildcard issuance you can use

example.com 0 issue "letsencrypt.org"
example.com 0 issue "digicert.com"
example.com 0 issuewild ";"

Thank you. So in other words I can allow absolutely everything for LetsEncrypt & Digicert with the following records:

example.com 0 issue "letsencrypt.org"
example.com 0 issue "digicert.com"

I think you didn't quite say what you meant, if you want only Digicert & Sectigo then you wouldn't be including Let's Encrypt.

If there are no issuewild entries, then wildcards follow the issue entries. That is, if you have any issuewild at all, then a wildcard has to match them, but if you only have issue entries, then they apply for both wildcard and non-wildcard certs.

Agreed, it (like many things relating to certificates) seems a lot more confusing than it has to be, with lots of cross-references to lots of documents. In this case, the paragraph I think you're looking for is in RFC 8659, section 4.3,

If at least one issuewild Property is specified in the Relevant RRset for a Wildcard Domain Name, each issue Property MUST be ignored when processing a request for that Wildcard Domain Name.

Which is trying to say that wildcards use the issuewild instead of issue, only if there is at least one issuewild property in existance.

Okay thanks. It was my mistake on the first bit. A typo. I meant to say LetsEncrypt & Digicert. I have edited the original post.

Yes, that will allow both those CAs to issue any certificates for example.com, regardless of whether it's a wildcard or not.

Thank you both! Very clear and helpful answers.

the edge case might be this one: RFC 8659: DNS Certification Authority Authorization (CAA) Resource Record

wild3.example.com         CAA 0 issuewild "ca2.example.org"
wild3.example.com         CAA 0 issue ";"

The previous posts were all helpful. Also, from this page

Is a link to this CAA generator.
https://sslmate.com/caa/