Cloudflare adding unwanted CAA records to my domain

I was trying to get a certificate from Amazon when it told me some CAA settings prevented it from issuing one. My domain has no CAA records in Cloudflare dashboard, but when I use dig tool it shows a total of 8. I’ve tried adding one of my own CAA records and removing it, as well as disabling and re-enabling “Universal SSL”, but neither of them worked as the unexpected CAA records still persist.

By the way, the Cloudflare dashboard stuck for a number of times during my operations, and I was logged out for several times all of a sudden (I have 2FA enabled).

Images for Cloudflare panel and dig output

Did Cloudflare just went mad or something?

You should be able to add your own CAA record. I have a few of my own. You’ll most likely need two CAA records for Amazon: One for the domain, and one for the wildcard.

Can you post a screenshot of the CAA record(s) you’re adding for Amazon?

I have no CAA records set up (as shown in the Cloudflare dashboard) and I do not want any, as I currently have no reason in limiting issuing CA. I want to get rid of those unexpected records with this domain. I also have a number of extra domains on Cloudflare but none of them have the same issue.

It’s more secure to have CAA records, and that’s why Cloudflare has them. Do you know who Amazon uses for SSL?

You can try adding your own. One for specific hostnames, and one for wildcards:

I know what CAA records are for but how come there are some of them that I didn’t set up by myself?

At present I do not want them. I’m fine with my other domains that don’t have CAA records yet.

Cloudflare also adds CAA records when AMP Real URL is enabled under the Optimization tab of the Cloudflare Speed app.

Check the docs:

Thanks for the link. That sounds new to me as it wasn’t the case when I checked last time. Do you know when this breaking change was rolled out?

However, the docs still say:

Cloudflare does not append additional CAA records if Universal SSL is disabled or if no CAA records are added via the DNS app.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.