CAA record effect on CNAME subdomains

AtmosphericIgnition · March 31, 2026, 3:01pm

My domain is:
prusa.net, status.prusa.net

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

GitHub Pages

Hello, I have a question about how CAA records affect domains with a CNAME record on them. This question came to my head after I realized that GitHub pages was able to create a Let's Encrypt certificate for my subdomain (status.prusa.net), despite my domain having bound a specific ACME account in CAA records:

$ dig +short CAA prusa.net
0 iodef "mailto:caa@prusa.net"
0 issue "letsencrypt.org; validationmethods=http-01; accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/246206403"
0 issue "letsencrypt.org; validationmethods=http-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/2564468501"
0 issuevmc ";"
0 issuemail ";"

I have set up GitHub pages on my domain by adding a CNAME record on the subdomain (status.prusa.net -> atmosphericignition.github.io).
I was surprised that GitHub was immediately able to issue a cert for the subdomain, without me having GitHub's ACME account in my CAA records. It makes me wonder if the issuing CAs consider CAA records for the answer domain (atmosphericignition.github.io) instead of the host domain (status.prusa.net). I haven't been able to find a definitive answer online.

Thank you.

MaxHearnden · March 31, 2026, 3:07pm

CAA lookups (RFC 8659: DNS Certification Authority Authorization (CAA) Resource Record) use the algorithm specified in RFC 1034 Section 4.3.2 (RFC 1034: Domain names - concepts and facilities). In particular CNAMEs are followed when not looking up CNAME records i.e. when looking up CAA records.

petercooperjr · March 31, 2026, 3:12pm

A CNAME means "this record is actually over there". So the subdomain's CAA records are whatever the target name has for CAA records. And only if they aren't found, will the next higher-level domain level be checked.

AtmosphericIgnition · March 31, 2026, 3:17pm

Thank you both for the answers.

Does the same algorithm apply for ALIAS DNS records?

MaxHearnden · March 31, 2026, 3:19pm

ALIAS DNS records do not really exist, they're just to instruct your authoritative DNS server to lookup the IP addresses of another domain and serve those addresses.

CAA records would have to be manually added if required as ALIAS records do not copy them.

petercooperjr · March 31, 2026, 3:20pm

"ALIAS" isn't an actual DNS record type, so it depends on what your DNS server actually does when you tell it to do an alias.

Topic		Replies	Views
Subdomain CNAME being ignored when validating CAA Help	12	781	June 9, 2024
CAA validation error on CNAME lookup with on CAA record Help	4	2107	January 16, 2020
Will it be sufficient if we update valid CAA on the cname domain to issue certificate? Help	8	642	October 4, 2020
CAA & CNAME along with external service Help	10	2354	May 20, 2021
CAA & certificate issuance problem with a previously working setup Help	5	871	July 6, 2024

CAA record effect on CNAME subdomains

Related topics