Can I create a CAA record for all sub-domains

domain-name-system

Our main web site uses HTTPS certificates issued by comodo. So we have two CAA records like this:

@        CAA        0 issue "comodo.com"
www      CAA        0 issue "comodo.com"

And we have multiple sub-domains with HTTPS certificates served by letsencrypt. Example CAA records like:

test1    CAA        0 issue "letsencrypt.org"
test2    CAA        0 issue "letsencrypt.org"
other    CAA        0 issue "letsencrypt.org"

At the moment, when we have a new sub-domain, besides an A-record I also have to create a new CAA record. Can't I have a wild-card as sub-domain name, like this?

*    CAA        0 issue "letsencrypt.org"

(I've tested this, but it doesn't work)

For the record: I'm not talking about wild-card domain certificates.


CAA records are inherited by subdomains - you do not need to publish them under subdomains, as pointed out by Håkan Lindqvist. Ignoring subdomains, you can have multiple CAA records at your domain, e.g.

@        CAA        0 issue "comodo.com"

@        CAA        0 issue "letsencrypt"

issuewild is the context you are looking for IF you want to authorise letsencrypt to issue wildcard certs, e.g.

@        CAA        0 issuewild "comodo.com"

@        CAA        0 issuewild "letsencrypt"

Personally I only publish one CAA record at my domain, I do not publish them for subdomains, and I use non-wildcard letsencrypt certificates for subdomains without issue.

P.S. Wildcard DNS records only resolve for subdomains that DO NOT exist, which is commonly misunderstood. This is what Håkan Lindqvist was saying when he mentioned that. Inheritance enables you to use @ CAA instead of * CAA.


Technically, it's certainly possible to have a wildcard CAA record (and it does "work").

However, the way wildcards in DNS are defined, this is probably not actually useful for your use-case as a wildcard only applies to names in branches that do not exist.

Presumably you have at least address records (A/AAAA) for all these names that you want to get certificates for, and by having those address records in place the wildcard no longer applies there. So wildcards are almost certainly a no-go for what you want to do.

I think what you will want to do is either add CAA records for all these names or live with a less strict policy on the level above (ie, comodo + letsencrypt in your example) and make use of the built-in policy inheritance in the CAA spec.

Related

Slicehost Alternatives [closed]
Linux or Windows 2003 (64 bit) for hosting an Oracle database?
Ignoring .svn directories under IIS
Where to purchase a server capable of 512GB of RAM? [closed]
Why must a linux server be rebooted to properly handle a change in resolv.conf?
Webmin and/or port 10000 not working
Logrotate creates long names and does not delete logs
Is there such a thing as too many IP addresses?
UPS - Two computers - How to get them to both shutdown when battery is low?
Disable Apache Automatic Startup on Linux
Can Wireshark read data being sent to/from other computers?
Whats the point of a service account?