How do CAA records work with CNAME records?
I read online that CAA records are supposed to follow CNAMEs so it resolves like this:
;QUESTION status.sixcorners.app. IN CAA ;ANSWER status.sixcorners.app. 215 IN CNAME stats.uptimerobot.com. stats.uptimerobot.com. 270 IN CAA 0 issue "letsencrypt.org"
but it seems like most of the time, or if I just query matt.ns.cloudflare.com directly, I get this:
;QUESTION status.sixcorners.app. IN CAA ;ANSWER status.sixcorners.app. 285 IN CAA 0 issue "letsencrypt.org" status.sixcorners.app. 285 IN CAA 0 iodef "mailto:[email protected]"
I can get the former response to come back if I ask 126.96.36.199 for something that includes the CNAME like an A record then ask it for the CAA record. I can get the latter to come back if I don’t let the CNAME get cached in the resolver and just ask for the CAA record first.
Also cloudflare lets me add CAA records to hosts that have CNAMEs.
I think this is a bug.