Can I create a CAA record for all sub-domains
Our main web site uses HTTPS certificates issued by comodo. So we have two CAA records like this:
@ CAA 0 issue "comodo.com"
www CAA 0 issue "comodo.com"
And we have multiple sub-domains with HTTPS certificates served by letsencrypt. Example CAA records like:
test1 CAA 0 issue "letsencrypt.org"
test2 CAA 0 issue "letsencrypt.org"
other CAA 0 issue "letsencrypt.org"
At the moment, when we have a new sub-domain, besides an A-record I also have to create a new CAA record. Can't I have a wild-card as sub-domain name, like this?
* CAA 0 issue "letsencrypt.org"
(I've tested this, but it doesn't work)
For the record: I'm not talking about wild-card domain certificates.
CAA records are inherited by subdomains - you do not need to publish them under subdomains, as pointed out by Håkan Lindqvist. Ignoring subdomains, you can have multiple CAA records at your domain, e.g.
@ CAA 0 issue "comodo.com"
@ CAA 0 issue "letsencrypt"
issuewild
is the context you are looking for IF you want to authorise letsencrypt to issue wildcard certs, e.g.
@ CAA 0 issuewild "comodo.com"
@ CAA 0 issuewild "letsencrypt"
Personally I only publish one CAA
record at my domain, I do not publish them for subdomains, and I use non-wildcard letsencrypt certificates for subdomains without issue.
P.S. Wildcard DNS records only resolve for subdomains that DO NOT exist, which is commonly misunderstood.
This is what Håkan Lindqvist was saying when he mentioned that. Inheritance enables you to use @ CAA
instead of * CAA
.
Technically, it's certainly possible to have a wildcard CAA
record (and it does "work").
However, the way wildcards in DNS are defined, this is probably not actually useful for your use-case as a wildcard only applies to names in branches that do not exist.
Presumably you have at least address records (A
/AAAA
) for all these names that you want to get certificates for, and by having those address records in place the wildcard no longer applies there. So wildcards are almost certainly a no-go for what you want to do.
I think what you will want to do is either add CAA
records for all these names or live with a less strict policy on the level above (ie, comodo + letsencrypt in your example) and make use of the built-in policy inheritance in the CAA
spec.