Will it be sufficient if we update valid CAA on the cname domain to issue certificate?

Will letsencrypt provide certificate if the customer’s CNAME has valid CAA. For example, if “example.com” is pointed to CNAME “cnametest.com”. Will it be sufficient if the “cnametest.com” has valid CAA record? Or does it require the main domain(i.e example.com) to have the valid CAA ?

I’m not sure sufficiency is the right question, as CAA is entirely optional. You don’t need to have a CAA record on either domain.

But Let’s Encrypt will follow CNAMEs when checking CAA records, yes.

If I had a domain example.com which was CNAME to paypal.com, and I tried to issue a certificate, Let’s Encrypt would refuse, because it would use the CAA records of paypal.com to make its decision.

Thanks for the reply. Suppose “example.com” has updated their CAA only to digicert.com. In this case if we add CAA record for “cnametest.com” domain to letsencrytps.org, will letencrypt issue the certificate for “example.com”?

Your question poses a scenario which is not possible with DNS.

If example.com is a CNAME, then it cannot have a CAA record.

If it has a CAA record, then it cannot be a CNAME.

If a CNAME record is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different. (RFC 1034 section 3.6.2, RFC 1912 section 2.4) The exception is when DNSSEC is being used, in which case there can be DNSSEC related records such as RRSIG, NSEC, etc. (RFC 2181 section 10.1)

Please consider this situation. Suppose example.com is pointed to euelb1.paypal.com. And example.com has a CAA record pointed to only digicert.com.
Now if i update a CAA for euelb1.paypal.com with letsencrypt details, will Letsencrypt be able to issue the certificate for example.com?

I understand what you are asking, but you can’t do that in DNS.

If you have a CNAME on a domain, it’s to the exclusion of any other record type.

how about subdomains?
blog.foo.com cnamed to hosting.bar.com (like webhosting setup)
caa on foo.com : issue letsencrypt.org
caa on bar.com : issue someotherCA.com

Sure.

In that case, I believe the foo.com record would apply.

The lookup order for the domain blog.foo.com would be:

  1. hosting.bar.com (the domain after the CNAME is followed)
  2. foo.com
  3. com

The algorithm is described here, but it’s pretty unreadable. Somebody should make a visualization of it.

1 Like