New Universal SSL CAA pki.goog?

I’ve noticed on my domains it seems like Cloudflare is using a new CAA called pki.goog.

I use Universal SSL on all my domains. The article https://support.cloudflare.com/hc/en-us/articles/115000310832-Certification-Authority-Authorization-CAA-FAQ states

The following DNS records are automatically set if you continue to use Cloudflare’s free Universal SSL certificates:

example.com. IN CAA 0 issue "comodoca.com"
example.com. IN CAA 0 issue "digicert.com"
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issuewild "comodoca.com"
example.com. IN CAA 0 issuewild "digicert.com"
example.com. IN CAA 0 issuewild "letsencrypt.org"

but mine look like this

example.com. IN CAA 0 issue "comodoca.com"
example.com. IN CAA 0 issue "digicert.com; cansignhttpexchanges=yes"
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issue "pki.goog; cansignhttpexchanges=yes"
example.com. IN CAA 0 issuewild "comodoca.com"
example.com. IN CAA 0 issuewild "digicert.com; cansignhttpexchanges=yes"
example.com. IN CAA 0 issuewild "letsencrypt.org"
example.com. IN CAA 0 issuewild "pki.goog; cansignhttpexchanges=yes"

I haven’t added any CAA records myself (just a 0 iodef record which I’ve omitted here). So I’m guessing the article is just out of date (hopefully)? I’m not sure how to update it - at the bottom it asks if the article was helpful, and I clicked no, but it didn’t ask me to provide feedback after I did.

I bet that’s for AMP or SXG. Have you enabled either of those?

3 Likes

Thanks, I think you’re right. I’m not using AMP Real URL but I did turn SXG on. The article says it’s supposed to modify the digicert records but doesn’t say anything about the pki.goog records https://support.cloudflare.com/hc/en-us/articles/4411075595661-Automatic-Signed-Exchanges-SXGs-Beta-FAQ

example.com.		XXXX	IN	CAA	0 issue "digicert.com; cansignhttpexchanges=yes"
example.com.		XXXX	IN	CAA	0 issuewild "digicert.com; cansignhttpexchanges=yes"

Maybe that’s a recent change. The feature is in beta after all. Thanks for your help

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.