Will it be sufficient if we update valid CAA on the cname domain to issue certificate?

Narayan · September 4, 2020, 7:15am

Will letsencrypt provide certificate if the customer’s CNAME has valid CAA. For example, if “example.com” is pointed to CNAME “cnametest.com”. Will it be sufficient if the “cnametest.com” has valid CAA record? Or does it require the main domain(i.e example.com) to have the valid CAA ?

_az · September 4, 2020, 7:31am

I'm not sure sufficiency is the right question, as CAA is entirely optional. You don't need to have a CAA record on either domain.

But Let's Encrypt will follow CNAMEs when checking CAA records, yes.

If I had a domain example.com which was CNAME to paypal.com, and I tried to issue a certificate, Let's Encrypt would refuse, because it would use the CAA records of paypal.com to make its decision.

Narayan · September 4, 2020, 10:01am

Thanks for the reply. Suppose "example.com" has updated their CAA only to digicert.com. In this case if we add CAA record for "cnametest.com" domain to letsencrytps.org, will letencrypt issue the certificate for "example.com"?

_az · September 4, 2020, 10:08am

Your question poses a scenario which is not possible with DNS.

If example.com is a CNAME, then it cannot have a CAA record.

If it has a CAA record, then it cannot be a CNAME.

If a CNAME record is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different. (RFC 1034 section 3.6.2, RFC 1912 section 2.4) The exception is when DNSSEC is being used, in which case there can be DNSSEC related records such as RRSIG, NSEC, etc. (RFC 2181 section 10.1)

Narayan · September 4, 2020, 11:39am

Please consider this situation. Suppose example.com is pointed to euelb1.paypal.com. And example.com has a CAA record pointed to only digicert.com.
Now if i update a CAA for euelb1.paypal.com with letsencrypt details, will Letsencrypt be able to issue the certificate for example.com?

_az · September 4, 2020, 11:48am

I understand what you are asking, but you can't do that in DNS.

If you have a CNAME on a domain, it's to the exclusion of any other record type.

orangepizza · September 4, 2020, 11:54am

how about subdomains?
blog.foo.com cnamed to hosting.bar.com (like webhosting setup)
caa on foo.com : issue letsencrypt.org
caa on bar.com : issue someotherCA.com

_az · September 4, 2020, 12:19pm

Sure.

In that case, I believe the foo.com record would apply.

The lookup order for the domain blog.foo.com would be:

hosting.bar.com (the domain after the CNAME is followed)
foo.com
com

The algorithm is described here, but it’s pretty unreadable. Somebody should make a visualization of it.

system · October 4, 2020, 12:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CAA & CNAME along with external service Help	10	1993	May 20, 2021
Let's Encrypt Domain name resolution support CAA failed Help	2	538	June 16, 2020
CAA validation error on CNAME lookup with on CAA record Help	4	2004	January 16, 2020
What CAA records should use for Let's Encrypt? Help	8	26677	April 15, 2020
CAA 403 issue, with multiple CNAME configuration Help	13	1989	September 20, 2019

Will it be sufficient if we update valid CAA on the cname domain to issue certificate?

Related topics