Automatic CAA Records Missing?

Hi, Everyone!

Cloudflare documentation states (repeatedly) that CAA records are not needed if you’re using Universal SSL as they will be added automatically. I have a domain brg.to hosted on Cloudflare with Universal SSL enabled, yet it doesn’t seem to have any CAA records published. Is the documentation outdated?

Thank you!

I did some testing and I found that for my domain that already has a CAA the records are automatically added. However for my domain that does not have any CAA records then they are not added.

1 Like

CAA records will be automatically added by Cloudflare in two situations.

  1. If you have any CAA records in place (including just an iodef reporting record).
  2. If you enable SXG Signed Exchanges or AMP Real URL.

The latter is a problem if you use any CA that is not on Cloudflares list. My recommendation is to always add appropriate CAA records for the CAs you use, even if they are currently added automatically by Cloudflare.

1 Like

Thank you, that sums it up pretty well (unlike the documentation :grinning: )

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.