Please stop create CAA records automatically, your honor CloudFlare

My domain is typeboom.com,
Today i attempted to purchase a https certificate from globalsign, but, their system rejcted me by the message of :

CAA Failed: …

And i dig

➜  ~ dig typeboom.com caa

; <<>> DiG 9.10.6 <<>> typeboom.com caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17414
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;typeboom.com.			IN	CAA

;; ANSWER SECTION:
typeboom.com.		1491	IN	CAA	0 issue "comodoca.com"
typeboom.com.		1491	IN	CAA	0 issue "letsencrypt.org"
typeboom.com.		1491	IN	CAA	0 issue "digicert.com; cansignhttpexchanges=yes"
typeboom.com.		1491	IN	CAA	0 issuewild "digicert.com; cansignhttpexchanges=yes"
typeboom.com.		1491	IN	CAA	0 issuewild "letsencrypt.org"
typeboom.com.		1491	IN	CAA	0 issuewild "comodoca.com"

;; Query time: 42 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Wed Sep 08 22:41:13 CST 2021
;; MSG SIZE  rcvd: 297

➜  ~

Seems CloudFlare authorized only there Certificate Authority defaultly:

  • DigiCert
  • Let’s Encrypt
  • Sectigo

My questions are:

  • Why did you must create the CAA records automatically?
  • My domain i never created any CAA before, is that will causing any problem when CloudFlare generate the so-called universal SSL?
  • WILL NOT that be harmful to Neutrality of CloudFlare?
  • WILL NOT that be some violation of antitrust, and unfair competition?

Hopefully CloudFlare will only reply the code for this was a bug.

I’ve just tested a random selection of 400 domains I’ve got within my Cloudflare account and none of which have CAA’s automatically added to them even with universal SSL enabled.

Is there a possibility someone else added it for you? I find it very odd that it was done by Cloudflare themselves.

The 3 providers added are used by Cloudflare for the Universal SSL service and no way limit you to adding something else? I don’t see how you can connect this to anything harmful when it’s a free service :slight_smile:

I wanna use some China OCSP certificate which globalsign can offer but the three listed in cloudflare-CAA can’t.

Is there a possibility someone else added it for you?

That must be created by cloudflare because my domain NS management dashboard, all those CAA are invisible and can’t be deleted.

That’s fine, since you can just add your own CAA record for globalsign :slight_smile:

Yes, after i figure out all the questions above