AWS ACM CAA Validation Errors

Hey all,

Running into an odd issue using AWS ACM and setting CAA records on the CloudFlare Side. I run two sites, luvs.org and neoagi.com, which are setup similarly, both have DNS delegated to CloudFlare, Both have a CNAME of cdn that resolves to distinct AWS Cloudfront endpoints (that source back to the origin domain on a path) and a CNAME of cdn-static that resolves to AWS Cloudfront (which is fronted by S3).

NOTE: Reducing references to cdn-static_luvs_org and cdn_luvs_org as new users are limited to posting 4 links in a post.

What’s strange to me is how Certificate Transparency works. I can get certs issued from ACM for cdn-static_neoagi_com and cdn-static_luvs_org just fine, but cdn_neoagi_com and cdn_luvs_org fail every time.

Performing DNS Lookups for CAA’s make me think this is a CloudFlare issue:

[email protected] ~/
$ dig caa cdn-static_luvs_org

; <<>> DiG 9.11.9 <<>> caa cdn-static_luvs_org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10687
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cdn-static_luvs_org.           IN      CAA

;; ANSWER SECTION:
cdn-static.luvs.org.    30      IN      CAA     0 issue "awstrust.com"
cdn-static.luvs.org.    30      IN      CAA     0 issue "amazontrust.com"

;; Query time: 32 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Oct 04 16:55:17 PDT 2021
;; MSG SIZE  rcvd: 113

That was before I setup cdn-static on CloudFlare for DNS and the cert was issues correctly. After the record is setup, the same query yields:

[email protected] ~/projects
$ dig CAA cdn-static_luvs_org

; <<>> DiG 9.11.9 <<>> CAA cdn-static_luvs_org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5964
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cdn-static_luvs_org.           IN      CAA

;; ANSWER SECTION:
cdn-static_luvs_org.    300     IN      CNAME   d3t7gsgg7wiptl.cloudfront.net.

;; AUTHORITY SECTION:
d3t7gsgg7wiptl_cloudfront_net. 60 IN    SOA     ns-1914_awsdns-47_co_uk. awsdns-hostmaster_amazon_com. 1 7200 900 1209600 86400

;; Query time: 42 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Oct 04 20:55:24 PDT 2021
;; MSG SIZE  rcvd: 178

And the cert fails due to Certificate Authority Authentication (CAA) error.. Remove the CNAME and issuance is fine again.

Before I remove my cdn CNAMES and cause disruption to existing distributions, I’m wondering if I’m missing something?

Cheers,
Robby

This might just add to the confusion, but I’m seeing a different behavior when trying to reproduce and troubleshoot this issue.

Given this configuration:

My results are:

dig @example.ns.cloudflare.com test.example.com
test.example.com. 300 IN CNAME d3t7gsgg7wiptl.cloudfront.net.

dig @example.ns.cloudflare.com test.example.com caa
test.example.com. 300 IN CAA 0 issue “amazontrust.com
test.example.com. 300 IN CAA 0 issue “awstrust.com

Multiple queries, different order, and all that. Querying your name servers with your domain in the same way, I get the CNAME in both cases. So there seems to be a difference in how Cloudflare DNS handles the domains.

(Using the default DNS resolver instead of directing the query with @ produces different results. I’ve left that out here. Seems like a rabbit hole.)

1 Like

Love the setup, couple tweaks to it though as what you’re seeing is natural assuming dig is from bind-utils:

dig @example.ns.cloudflare.com test.example.com should revert to an ANY query which has a natural preference order, A, AAAA, then CNAME and others if memory serves (also thanks for catching my ordering error with my queries above).

What’s curious to me is that if a CNAME exists, the CAA query returns the CNAME over the CAA results:

[email protected] ~
$ dig cdn-static-2.luvs.org CAA +short
0 issue "awstrust.com"
0 issue "amazontrust.com"

[email protected] ~
$ dig cdn-static.luvs.org CAA +short
d3t7gsgg7wiptl.cloudfront.net.

Using this configuration: