DNS CAA records on wire don't match control panel

I have three CAA records defined: one for my domain (swynwyr.com) and two for hosts in that domain (www and bifrost). In the Cloudflare DNS dashboard, all three are set to limit authorization to letsencrypt.org:

However, when I query DNS, the host name records are correct but the domain record trusts a wider set of authorities:

$ dig bifrost.swynwyr.com caa +short
0 issue "letsencrypt.org"
$ dig www.swynwyr.com caa +short
0 issue "letsencrypt.org"
$ dig swynwyr.com caa +short
0 issue "comodoca.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issue "letsencrypt.org"
0 issue "pki.goog; cansignhttpexchanges=yes"
0 issuewild "comodoca.com"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issuewild "letsencrypt.org"
0 issuewild "pki.goog; cansignhttpexchanges=yes"
$

Why is this record different on the wire from what the control panel shows? How can I restrict swynwyr.com as I’ve done with bifrost.swynwyr.com and www.swynwyr.com?

Any PTRs appreciated!

Welcome to the Cloudflare Community. :logodrop:

This is explained here:

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.