Unexpected CAA records appearing


#1

I’ve set a few CAA records for let’s encrypt on my domain shorten.ninja. However when I check which records exist using dig I get much more than I expect:

dig CAA shorten.ninja:

; <<>> DiG 9.10.6 <<>> CAA shorten.ninja
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11284
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;shorten.ninja.			IN	CAA

;; ANSWER SECTION:
shorten.ninja.		120	IN	CAA	0 issue "comodoca.com"
shorten.ninja.		120	IN	CAA	0 issue "digicert.com"
shorten.ninja.		120	IN	CAA	0 issue "globalsign.com"
shorten.ninja.		120	IN	CAA	0 issuewild "comodoca.com"
shorten.ninja.		120	IN	CAA	0 issuewild "digicert.com"
shorten.ninja.		120	IN	CAA	0 issuewild "globalsign.com"
shorten.ninja.		120	IN	CAA	0 issuewild "letsencrypt.org"
shorten.ninja.		120	IN	CAA	0 issue "letsencrypt.org"
shorten.ninja.		120	IN	CAA	0 iodef "mailto:[email protected]"

;; Query time: 106 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Fri Aug 17 09:32:17 MDT 2018
;; MSG SIZE  rcvd: 360

I would expect only the last 3 records would appear. Does anyone know why records for globalsign, comodoca, and digicert also appear?


#2

If you have Universal SSL enabled and add CAA records, Cloudflare automatically adds those 6 CAA records for the CAs they use for Universal SSL.

If you disable Universal SSL they should go away. (That means no HTTPS CDN services, or you’re on the business or enterprise plans and upload a custom certificate.)


#3

I find it odd that those records don’t show up in the zone. Cloudflare should provide some indication as to why those records exist. Thanks for the quick response :slight_smile:


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.