Hi team,
We are receiving thread alerts for various domains related to CAA records . We have added CAA records for letsencrypt.org in cloudflare .
As a server administrator I would like cPanel to provide support for CAA DNS records, to increase server security by defining which certificate authorities are authorized to issue certificates for my domain.
Checking the CAA record on one of my domain (DNS CAA record tester) shows No CAA found .
Any help would be appreciated.
Thanks.
I do not know that DNS CAA record tester, however on that one specific domain there is CAA record (the name resolution following a CNAME record):
$ dig +short CAA admin.zabrr.com
admin.yelo.red.
0 issuewild "sectigo.com;"
Hi @bruncsak
Yeah on dig checker or through terminal it shows the record to be added as I have added.
But when i try to see the same on SSL Labs SSL Server Test: admin.yelo.red (Powered by Qualys SSL Labs) or DNS CAA tester DNS CAA record tester it shows the record as not added.
The policy is "issuewild", what you put into the DNS. Try putting "issue" policy.
This might be messing with things:
admin.zabrr.com canonical name = admin.yelo.red.
admin.yelo.red canonical name = lb.yelo.red.
@rg305, that is right.
@mohammad.atif, remove the CAA record for admin.yelo.red and put the record for lb.yelo.red.
Indeed, it's not allowed to have other resource records next to a CNAME resource record.
None of those names are allowing LE:
dig +short CAA admin.zabrr.com
admin.yelo.red.
0 issue "sectigo.com;"
dig +short CAA admin.yelo.red
0 issue "sectigo.com;"
dig +short CAA lb.yelo.red
[empty]
That is correct. But I think the point of the OP is that CAA checkers do not find CAA record of any kind.
OK but how is that any of our problem?
How would we be able to "fix" any of those sites?
LOL
We are so kind that we are helping to solve issues related generally to PKI, not only strictly Let's Encrypt specific problems. 
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.