when i do a dig for the CAA records of my domain, it shows CAA records, that I have never put into the DNS records of my domain
What steps have you taken to resolve the issue?
There is no steps I can do, as all my CAA records are correct and in place. I only allow letsencrypt.org to issue certs for my domain, but in dig there are multiple more showing up…there even showing up issuewild, which I didnt even allow at all.
What feature, service or problem is this related to?
Cloudflare creates CAA records if necessary to allow the issuing of edge certificates for your domain. These records won’t show in the dashboard, but you will see them if you do a DNS query for them.
If you specifically only wants Lets Encrypt certificates, then you need to use Advanced Certificate Manager to control the CA that Cloudflare uses (or have a Business or Enterprise plan where you can upload your own edge certificate).
[add] I see you aren’t using the Cloudflare proxy for your domain or www. If you have no proxied records you can disable Universal SSL on Cloudflare if you don’t need any Cloudflare edge certificates. https://cf.sjr.dev/tools/check?49a2af2a6f244fbc990038a7d4ef1869#dns
despite having correct caa records for my domain at your nameservers in place (checked again), a normal question for caa with dig command on any public dns server shows caa records, which are not correct. as the main zone file is hosted at your authoritative dns servers, there is only the explanation of cache poisining, perhaps on one of your public facing servers
What steps have you taken to resolve the issue?
there is not much i can do. my dns records are correct and security focussed. my zone file is hosted by your authoritative dns servers. my domain registrar points correctly at your nameservers. the only explanation for this issue is, that the cache of one of your public facing dns servers is poisened.
What feature, service or problem is this related to?
Nameservers
What are the steps to reproduce the issue?
just do a :
dig caa freorit.de
and the showing caa records are not done by me, as is easy observable in the dns console for my domain. my records only allow letsencrypt.org as only ca for my domain, i would never allow issuewild, as it shows up with the dig command
Cloudflare adds CAA records to the DNS to allow Universal SSL edge certificates to be issued by the CAs that Cloudflare uses. These won’t appear in your dashboard DNS but will be shown by a DNS query.
Thanks for getting back at me, I would have never come up with this as I didnt even know about edge certs. when i turn your proxieng off, I assumed, that everything will be as I configured.
I turned Universal SSL off and will now wait for DNS to propagate. will check again tomorrow and provide, if this solution works out.
for now, great thanks to you, i apreciate it, regards
Sorry for my opening up another thread, didnt see your response to my first post.
turned Universal SSL off and will check the results tomorrow, Thanks again! regards
After turning Universal SSL off for the unproxied domain, now everything looks like I configured it, all DNS records are fine. Thank you very much, your advice solved my problem comletely.
Problem is solved now.
regards
