The domain content-ci360.sas.com is not able to finish the verification due to CAA check. We are seeing the text below when trying to finish the validation. The TLD sas.com does have a CAA record that has only Digicert listed in it. The link here does mention that the subdomain CAA record takes precedence over the TLD. So, is there a different reason for the CAA check error here?
@mnordhoff Thank you for clarification. I also noticed that this domain a CNAME chain. If a domain has a CNAME chain, shouldn’t the CAA validation follow the chain and look for CAA record only for the domains it is CNAME’d to in the chain?
It basically does the equivalent of “dig content-ci360.sas.com caa”, “dig sas.com caa” and “dig com caa”, stopping when it finds a CAA record set, or encounters an error.
The CAA lookup algorithm used to be more complicated, but the standard was changed.
You need to either add a CAA record set on Akamai – if you can – or change the one on sas.com.
It checks the origin domain, if it has CNAMES, it checks the CAA for every CNAME (but it does not perform a tree-climbing on those CNAMES as it did in Legacy CAA Implementation), if no CAA record found, it starts the tree-climbing on the origin domain, etc. till a CAA record is found, an error or till the end if there isn't CAA records.
@sahsanu: @mnordhoff’s example is more accurate here. You’ll notice in the output from dig content-ci360.sas.com that the recursive resolver has already snapped the CNAMEs for you and found nothing at the end:
So there’s no need to run a separate dig for content.aimatch.com, aimatch.edgekey.net, and e10517.g.akamaiedge.net. You can just move directly on to:
@jsha, I was trying to explain how Let's Encrypt implements CAA checks because of this:
Of course, @mnordhoff example is accurate because of dig command follows CNAMEs but I wanted to show what are the steps to check the CAA records if the domain has CNAMEs... I should have used just a check domain caa, check cname caa... instead of dig command
I am not exactly sure what you mean by this. There is still something I am not understanding quite right. If there is no CAA record for subdomain.example.com
then isn't there a fallback lookup to example.com
for a default CAA policy? Or do CAA records not apply to subdomains?