What is the name of the domain?
What is the issue you’re encountering
After changing my domain’s nameservers to Cloudflare, my CAA record has changed from 0 issue "letsencrypt.org; validationmethods=dns-01; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/0000000000" to 0 issue "letsencrypt.org" among others.
What steps have you taken to resolve the issue?
I understand that Cloudflare adds CAA records so that it can issue certificates for use on proxied domains, but the non-restricted issue for letsencrypt.org is a security issue for me because I’m using acme-dns.
My _acme_challenge is CNAME’d to a server I don’t control, but it was previously safe because only my Letsencrypt account could issue certificates. Now that Cloudflare has changed my CAA record to allow all Letsencrypt accounts, the person in control of the acme-dns server could issue a certificate for my domain.
I could resolve this by not using acme-dns or hosting my own acme-dns server, but it seems to me that I should be able to configure Cloudflare to not add its Letsencrypt CAA. None of Cloudflare’s certs seem to come from Letsencrypt anyway, so why is it on there?
Has anyone got any pointers please?
What feature, service or problem is this related to?
DNS records
What are the steps to reproduce the issue?
Create a CAA record in Cloudflare with validationmethods or accounturi parameters, see in dig that the actual CAA records served up do not include these parameters.