Create CAA Record for All Sub-Domains – How to

domain-name-system

Our main web site uses HTTPS certificates issued by comodo. So we have two CAA records like this:

@        CAA        0 issue "comodo.com"
www      CAA        0 issue "comodo.com"

And we have multiple sub-domains with HTTPS certificates served by letsencrypt. Example CAA records like:

test1    CAA        0 issue "letsencrypt.org"
test2    CAA        0 issue "letsencrypt.org"
other    CAA        0 issue "letsencrypt.org"

At the moment, when we have a new sub-domain, besides an A-record I also have to create a new CAA record. Can't I have a wild-card as sub-domain name, like this?

*    CAA        0 issue "letsencrypt.org"

(I've tested this, but it doesn't work)

For the record: I'm not talking about wild-card domain certificates.

Best Answer

CAA records are inherited by subdomains - you do not need to publish them under subdomains, as pointed out by Håkan Lindqvist. Ignoring subdomains, you can have multiple CAA records at your domain, e.g.

@        CAA        0 issue "comodo.com"

@        CAA        0 issue "letsencrypt"

issuewild is the context you are looking for IF you want to authorise letsencrypt to issue wildcard certs, e.g.

@        CAA        0 issuewild "comodo.com"

@        CAA        0 issuewild "letsencrypt"

Personally I only publish one CAA record at my domain, I do not publish them for subdomains, and I use non-wildcard letsencrypt certificates for subdomains without issue.

P.S. Wildcard DNS records only resolve for subdomains that DO NOT exist, which is commonly misunderstood. This is what Håkan Lindqvist was saying when he mentioned that. Inheritance enables you to use @ CAA instead of * CAA.

Related Topic