CF yet again making records that are undesireable

Why does CF create CAA records on its own? I want to specify only one CA, and yet Cloudflare has created 10+ CAA records for my domain.

Whats the thought process here? These CAA records reduce security when one specifies their own CA, CFs’ default mode of operation should be to drop these automatic records when one is specified, however this doesnt seem to be the case

This is far too much ‘hand holding’

Cloudflare creates CAA records to ensure that only authorized Certificate Authorities (CAs) can issue SSL/TLS certificates for your domain. This helps to prevent unauthorized parties from issuing fraudulent certificates for your domain, which could be used in phishing attacks or other malicious activities.

If you want to specify a single CA for your domain, you can do so by adding a CAA record with a value of “0 issuewild” and the name of the CA you want to use. This will tell Cloudflare to only allow the specified CA to issue certificates for your domain, and to drop any other CAA records that may have been automatically created by Cloudflare.

Overall, the automatic creation of CAA records by Cloudflare is a security feature designed to protect your domain and help prevent unauthorized certificate issuance. While it may seem like too much “hand holding” at times, it is an important part of ensuring the security of your domain and website.

1 Like

Ya, thing is I’ve done this and still see all the other CAA records on a lookup

The other CAA records do not get removed, I’ve added sectigo.com since I use ZeroSSL

image

If you use the :orange: Cloudflare proxy, it needs to be able to obtain edge certificates. They will not necessarily be issued by the same CAs that you use for your origin certificates.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.