Issue with long DNS Propagation of Removed CAA Records

Website, Application, Performance DNS & Network
1

What is the name of the domain?

www.retronadruk.pl

What is the issue you’re encountering

I’m experiencing an issue with DNS propagation for my domain, [yourdomain.com], managed through Cloudflare. Specifically, I removed the CAA records from the DNS settings at [time, e.g., 9:40 AM UTC], and even after more than 10 hours, these changes are not reflected globally. Despite clearing browser cache and verifying through multiple DNS tools (e.g., DNSChecker, MXToolbox), the removed CAA records still appear in the DNS results.

What steps have you taken to resolve the issue?

Here are the steps I’ve taken so far:

Removed the CAA records from the DNS settings in the Cloudflare dashboard.
Verified the DNS configuration to ensure the changes were saved correctly.
Flushed the local DNS cache on my devices.
Purged the cache from Cloudflare using the Purge Everything option.

What feature, service or problem is this related to?

DNS not responding/updating

2

May I ask what for you need them? To issue the SSL certificate at your origin web server for your domain or something else? :thinking:

If your hostname is proxied :orange: , you’d always get the Cloudflare’s Universal SSL certificate CAA records which cannot be removed.

;; QUESTION SECTION:
;retronadruk.pl.                        IN      CAA

;; ANSWER SECTION:
retronadruk.pl.         0       IN      CAA     0 issue "comodoca.com"
retronadruk.pl.         0       IN      CAA     0 issue "digicert.com; cansignhttpexchanges=yes"
retronadruk.pl.         0       IN      CAA     0 issue "letsencrypt.org"
retronadruk.pl.         0       IN      CAA     0 issue "pki.goog; cansignhttpexchanges=yes"
retronadruk.pl.         0       IN      CAA     0 issue "ssl.com"
retronadruk.pl.         0       IN      CAA     0 issuewild "comodoca.com"
retronadruk.pl.         0       IN      CAA     0 issuewild "digicert.com; cansignhttpexchanges=yes"
retronadruk.pl.         0       IN      CAA     0 issuewild "letsencrypt.org"
retronadruk.pl.         0       IN      CAA     0 issuewild "pki.goog; cansignhttpexchanges=yes"
retronadruk.pl.         0       IN      CAA     0 issuewild "ssl.com"

More helpful information:

Troubleshooting:

3

I want to install a new certificate on the original servers and enable the Full (Strict) option with HSTS. CAA records still visible on DNS checker but in cloudflare dns all removed.

4

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.