CNAME record conflicts with CAA record

[xavier02]

Hi everyone,

On a directadmin v. 1.672, when trying to add a CNAME record in a dns zone of a domain for www, an error occurs with no clear explanation. Another CAA record is also present for www. When removing that CAA record, I am able to create my CNAME record fine. It also fails the other way around : it is impossible to add a CAA record on www when the CNAME record is already present for that name.

I did the same test on a cpanel server and it works fine, both the CNAME and the CAA records can coexist on the same name (in this case www).

Any idea what could be causing the issue?

 

[zEitEr]

Hello,

You don't need CAA record for www, in case the latest is maned as CNAME record, and CAA record exist for the domain to which www is linked to. The CAA record will be linked via CNAME.

 

[xavier02]

You are right, it should work.

But with sectigo, we are facing issues. Here is the answer from one of their staff members regarding certificate renewal of a domain that has a valid certificate for both domain.com and www.domain.com :

We are afraid that the CAA record check can not be skipped. Therefore, to finalize the certificate issuance, adding the CAA record for www.domain.com is mandatory.

 

[zEitEr]

CAA records are supposed to follow CNAMEs, so you need a CAA record for the target of the CNAME record instead.

- https://serverfault.com/questions/885952/caa-and-cname-together
- https://community.cloudflare.com/t/caa-and-cname-records/27537

In anyway named/bind9 wont allow you to add CAA for any record which is CNAME to another one. You will need to change CNAME to A-type if you have issues with following CNAME.

 

[xavier02]

That makes sense. Thanks !