It’ll be the DNS for the
cloudflare.com domain that will set CAA records for
As for subdomains on your domain (ex:
sni.example.com), this blog post describes how subdomains are evaluated.
At the end of the last step, the issuing CA has climbed the entire DNS tree (excluding the root) checking for CAA records. This functionality allows a domain owner to create CAA records at the root of their domain and have those records apply to any and all subdomains.
The Let’s Encrypt entries are expected according to the FAQ.
It would be useful if the page for Configuring CAA Records (sorry, I can only post 2 links):
…described how to enable CAA records if you’re not using any CAs in addition to the ones needed for Universal SSL. I didn’t see an obvious spot to provide feedback besides marking the page as “not helpful” which isn’t really the case. The page is helpful, it just needs a little more info.
@Withheld’s advice worked for me to get CAA enabled.