How to clear all CAA records on a domain?

Im trying to issue/buy as new certificate from GoDaddy, but im encoutering an issue which GoDaddy forwards to the DNS provider, in my case Cloudflare.
I need to clear all CAA record for my domain, but this is not possible in the dashboard, can support help me?

Here is the ressource from GoDaddy:

Hi there,

Cloudflare manages CAA records on your behalf for the issuing of universal certificates, unless you add them yourself.
This means, that if you have no CAA records in your dashboard, if Universal SSL is enabled, or SXG, or AMP, Cloudflare might create them (but they won’t show in your DNS tab), disable all those features and Cloudflare generated CAAs will be deleted.

Edit: corrected and added some relevant information

Take care.

3 Likes

According to the relevant documentation, Cloudflare adds CAA records automatically when Universal SSL is enabled and any CAA records have been added to the zone. Manually adding Cloudflare CAA records should never be necessary.

Redacted

2 Likes

Hi @mcorreia , thanks for replying.
There is these multiple active CAA record for my domain but i have no CAA record in my DNS records tab, so how do i “clean” these and “start over”?
image

Hi there,

As stated, these records are required for Universal SSL to operate under given circumstances, so if you want to keep using universal certificates, you should leave them as they are.
If you disable Universal SSL, they should automatically be deleted.

Take care.

Thanks for the fast reply @mcorreia, i have now disabled both Universal SSL and AMP.
And waiting for +6 hours, but the CAA records are still active and preventing me from issueing a GoDaddy certificate.

Hi there,

I’ll open a ticket on your behalf, so we can check together what’s going on.

Take care.

2 Likes

Hi there,

Just a small correction here if anyone in the future comes across this thread and has the same problem.

If you currently have Cloudflare CAAs it must mean you have one or several of the following features enabled: AMP, SXG, Universal SSL.

In this case without sharing too much the affected zone was downgraded to free but for some reason SXG was left enabled but invisible to the user. Then, since the zone was free there was no way to disable it, meaning that nothing the user could do would delete the CAA records.

This made me reconsider my previous statements in this post, and I’ll be redacting some not to induce someone else in error.
I’ve had submitted a correction to the documentation pointed by @epic.network but the fact that this can happen, made me cancel my merge on the documentation until I get a full picture of what happened.

Take care.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.