Unskilled

On CAA and CNAME records

Posted on Dec 14, 2024

This is something I knew but never realized all the implications of: CAA lookups are not only about CAA records. They also involve CNAME records.

First, a quick recap: CAA DNS records are used to specify which Certificate Authorities (CAs) are allowed to issue certificates for a domain. For example, specifying letsencrypt.org in a CAA record means that only Let’s Encrypt is allowed to issue certificates for that domain, and that other CAs should refuse to do so.

It is established that a CNAME record cannot coexist with any other record type for the same name. This means that if a domain has a CNAME record, it cannot have a CAA record. But what if the CNAME record points to a domain that has a CAA record?

The answer is that the CAA record of the target domain is used.

A CAA lookup for stuff.example.com will follow the CNAME chain until it finds a domain that has a CAA record. If stuff.example.com has a CNAME record that points to bar.foo.org, the CAA lookup will be for bar.foo.org, even if example.com has a CAA record itself.

This is important to keep in mind when adding CNAME records that target third-party domains: you are effectively delegating the CAA policy as well.

All fields requesting personally identifiable information (PII) are optional. Any personal data you provide will be kept private and is used solely for moderation purposes. Your information is stored securely on a server in Switzerland and will not be used directly, shared, or disclosed to third parties. By submitting your personal data, you consent to its indefinite storage under these terms. Should you wish to have your data removed or have any privacy concerns, please contact me using the information provided in the 'About' section.