Cloudflare CAA record for sni.cloudflaressl.com

Hello,
In the docs I have read that I should set:
example.com. IN CAA 0 issue “comodoca.com
example.com. IN CAA 0 issue “digicert.com
example.com. IN CAA 0 issue “letsencrypt.org
example.com. IN CAA 0 issuewild “comodoca.com
example.com. IN CAA 0 issuewild “digicert.com
example.com. IN CAA 0 issuewild “letsencrypt.org

But does this also cover the new certificates issues from “sni.cloudflaressl.com” ? And if not can I simply add:
example.com. IN CAA 0 issue “sni.cloudflaressl.com

Thanks for your help

These aren’t directly related, CAA records indicate which certificate vendors can issue certificates, the sni Cloudflare certificates are not signed by Cloudflare and instead are signed by a third party vendor such as
comodoca.com (and Cloudflare controls these CAA records).

One other note, you no longer need to add CAA records required by Cloudflare if you use Cloudflare’s DNS service, Cloudflare does this automatically. But you might still need to create a record for letsencrypt.org.

4 Likes

With Cloudflare’s certificates, the only record you’d need to create is Incident Object Description Exchange Format (iodef) which is used for reporting.

0 iodef mailto:[email protected]_domain.com

3 Likes

To add: Even though Cloudflare runs Cloudflare Inc ECC CA-2, the certificate is co-signed by DigiCert (Baltimore CyberTrust Root) so it’s covered by the digicert.com CAA.

The LetsEncrypt CAA record was just recently added so maybe we’ll see free letsencrypt multiple-level-down certificates in the future.

2 Likes

Is Cloudflare now adding Lets Encrypt’s CAA record automatically? I hadn’t noticed, but I wouldn’t/couldn’t as I have manually specified it for all of my domains that have a CAA record at all. Most interesting.

Can’t say how retroactive it is, but creating only a CAA iodef record does show that CF is injecting the LE CAA.

It is retroactive. Makes sense, keep in mind Cloudflare doesn’t have zonefiles, rather, DNS responses are created on the fly.

2 Likes

It’ll be the DNS for the cloudflare.com domain that will set CAA records for sni.cloudflare.com, right?

As for subdomains on your domain (ex: sni.example.com), this blog post describes how subdomains are evaluated.

At the end of the last step, the issuing CA has climbed the entire DNS tree (excluding the root) checking for CAA records. This functionality allows a domain owner to create CAA records at the root of their domain and have those records apply to any and all subdomains.

The Let’s Encrypt entries are expected according to the FAQ.

It would be useful if the page for Configuring CAA Records (sorry, I can only post 2 links):

https://support.cloudflare.com/hc/en-us/articles/115000310792-Configuring-CAA-Records-?flash_digest=9647552117c29cff6b1afd6c32caf399950e20cb

…described how to enable CAA records if you’re not using any CAs in addition to the ones needed for Universal SSL. I didn’t see an obvious spot to provide feedback besides marking the page as “not helpful” which isn’t really the case. The page is helpful, it just needs a little more info.

@Withheld’s advice worked for me to get CAA enabled.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.