How to test if a negetive CAA entry works?

Hey everybody

I did build a DNS debugger that sometime responds with an IP that I don't control so I would like to be sure that nobody can use these responses.
I set the CAA records to ;

My domain with the manual is on this domain:

One of the "risky" domains is

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine yes


1 Like

You can also use any ACME client of your choice and try issuing a certificate for the domains in question.

Note that many CA's, including Let's Encrypt, do not support CAA iodef, so you won't see any mails regarding (failing) CAA.

Also, some remarks regarding your CAA record:

;; ANSWER SECTION:      60      IN      CAA     128 issue ";"      60      IN      CAA     128 issuewild ";"      60      IN      CAA     128 iodef ""

You have set the critical flag (bit 7) of all your CAA records. As per RFC 8659, this is not currently allowed. As per the current specification, the flag should be 0. The critical bit is meant for future extensions, not the current spec.

Additonally, having both issue and issuewild set to the same value is redundant. issue controls all issuance, if issuewild is not present. So you do not actually require the issuewild directive in your case.


So if I want a TLS Cert for but not for anything under that tree:
Do I have to respond with something else below the dynamic part and allow it on
Or can I confirm a cert since I allow it on

1 Like

CAA records are searched bottom to top*. The first result found is used. So for an example domain the CA first looks up CAA for, then, then and finally ch.

Given that you currently seem to have a wildcard CAA record for * you could use that for a denying CAA and set a permissive CAA on only to achieve what you want. Another option would be to remove the CAA records on entirely, which would cause the CAA record on to take precedence.

*Assuming no CNAMEs are in the tree. With CNAME the query gets a bit complicated.


I have wildcard denied and issue allowed on However, I can still request certificates for singles hosts below I still need to deny both one level below

The CNAME complications start when I point outside the tree, yes?
So, someone pointing into that tree can apply their rules, but it won't appear as "my" certificate, yes?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.