My DNS supplier does not allow me to create a CAA record for a hostname that already has a CNAME record defined. I understand that the specifications don't allow for other record types when CNAME is used (with some DNSSEC related exceptions), however this doesn't seem right...

Still... What would be the best way to provide a CAA record for a CNAME alias?


CAA records are supposed to follow CNAMEs, so you need a CAA record for the target of the CNAME record instead.

Citing https://letsencrypt.org/docs/caa/

CAA validation follows CNAMEs, like all other DNS requests. If www.community.example.com is a CNAME to web1.example.net, the CA will first request CAA records for www.community.example.com, then seeing that there is a CNAME for that domain name instead of CAA records, will request CAA records for web1.example.net instead. Note that if a domain name has a CNAME record, it is not allowed to have any other records according to the DNS standards.

Trying to "circumvent" this wouldn't be helpful because even if you created an illegal CAA record parallel to the CNAME, clients following the specification would just ignore it.