Will letsencrypt provide certificate if the customer’s CNAME has valid CAA. For example, if “example.com” is pointed to CNAME “cnametest.com”. Will it be sufficient if the “cnametest.com” has valid CAA record? Or does it require the main domain(i.e example.com) to have the valid CAA ?
I’m not sure sufficiency is the right question, as CAA is entirely optional. You don’t need to have a CAA record on either domain.
But Let’s Encrypt will follow CNAMEs when checking CAA records, yes.
If I had a domain
example.com which was CNAME to
paypal.com, and I tried to issue a certificate, Let’s Encrypt would refuse, because it would use the CAA records of
paypal.com to make its decision.
Thanks for the reply. Suppose “example.com” has updated their CAA only to digicert.com. In this case if we add CAA record for “cnametest.com” domain to letsencrytps.org, will letencrypt issue the certificate for “example.com”?
Your question poses a scenario which is not possible with DNS.
example.com is a CNAME, then it cannot have a CAA record.
If it has a CAA record, then it cannot be a CNAME.
If a CNAME record is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different. (RFC 1034 section 3.6.2, RFC 1912 section 2.4) The exception is when DNSSEC is being used, in which case there can be DNSSEC related records such as RRSIG, NSEC, etc. (RFC 2181 section 10.1)
Please consider this situation. Suppose example.com is pointed to euelb1.paypal.com. And example.com has a CAA record pointed to only digicert.com.
Now if i update a CAA for euelb1.paypal.com with letsencrypt details, will Letsencrypt be able to issue the certificate for example.com?
I understand what you are asking, but you can’t do that in DNS.
If you have a CNAME on a domain, it’s to the exclusion of any other record type.
In that case, I believe the
foo.com record would apply.
The lookup order for the domain
blog.foo.com would be:
hosting.bar.com(the domain after the CNAME is followed)
The algorithm is described here, but it’s pretty unreadable. Somebody should make a visualization of it.