CAA and CNAME together

domain-name-system cname-record caa-record

My DNS supplier does not allow me to create a CAA record for a hostname that already has a CNAME record defined. I understand that the specifications don't allow for other record types when CNAME is used (with some DNSSEC related exceptions), however this doesn't seem right...

Still... What would be the best way to provide a CAA record for a CNAME alias?


CAA records are supposed to follow CNAMEs, so you need a CAA record for the target of the CNAME record instead.

Citing https://letsencrypt.org/docs/caa/

CAA validation follows CNAMEs, like all other DNS requests. If www.community.example.com is a CNAME to web1.example.net, the CA will first request CAA records for www.community.example.com, then seeing that there is a CNAME for that domain name instead of CAA records, will request CAA records for web1.example.net instead. Note that if a domain name has a CNAME record, it is not allowed to have any other records according to the DNS standards.

Trying to "circumvent" this wouldn't be helpful because even if you created an illegal CAA record parallel to the CNAME, clients following the specification would just ignore it.

Related

Certbot fails. Enable Let’s Encrypt certbot on a new server that will replace the existing production server
How to test php-fpm configuration (PHP7.0)
In Jenkins how to pass a parameter from Pipeline job to a freestyle job
Howto install Oracle OCI8 instantclient on Ubuntu 18.04
How to login (at remote site) when primary DC is down
IIS LAN and WAN separate SSL certificates for the same server
How to make in SSH private key from one line, three lines [closed]
What differences are between a NAS, a shared disk file system on a SAN, and a distributed filesystem?
Ubuntu 20.04 minimal: "Unable to locate package python-pip"
.class specific search and replace
Level 47 dweller disappeared while exploring the wasteland
Why can some game updates be applied automatically and some require download? [closed]