Create CAA record on a free plan? (pointed to as CNAME)
I've red following information at https://sslmate.com/caa/about:
"If a domain name is a CNAME (also known as an alias) for another domain, then the certificate authority looks for the CAA record set at the CNAME target (just like any other DNS lookup). If no CAA record set is found, the certificate authority continues searching parent domains of the original domain name.
For example, if blog.example.com is a CNAME for blogprovider.example, then the certificate authority looks for CAA record sets in the following order:
- blogprovider.example
- example.com"
In my scenario my own pages app doesn't seem to specify any CAA records, which I find odd, I would have expected some to be present as mentioned at: https://developers.cloudflare.com/ssl/edge-certificates/caa-records/#caa-records-added-by-cloudflare:
"Cloudflare adds CAA records automatically in two situations:
When you have Universal SSL or advanced certificates and add any CAA records to your zone.
When you have Universal SSL enabled and enable AMP Real URL or SXG Signed Exchanges."
1) Isn't CF pages using universal SSL behind the scenes?
2) Is there a way for me to create CAA records on a free plan?
24 Replies
hen the certificate authority looks for the CAA record set at the CNAME target (just like any other DNS lookup)Keeping in mind with Pages by default the Custom domain is proxied, meaning externally there's no cname visible and it'd just be subdomain and then root if none exists
In my scenario my own pages app doesn't seem to specify any CAA records, which I find odd, I would have expected some to be present as mentioned at:I don't get how that's odd when it states they're only added in two situations
1) Isn't CF pages using universal SSL behind the scenes?The pages.dev uses Universal, Pages Custom Domains use CF For SaaS SSL
2) Is there a way for me to create CAA records on a free plan?Yea you just create them on your zone as normal, and as the docs you linked say, the second you create one of your own CF will invisiblity start serving their own CAA records to ensure you can't break universal ssl/itself
I've been following the topic on the forums and chatting to a few MVPs about it now
We should have CAAs there afaik, I'm not fully sure why we don't and this is not my area of expertise. Others would know more so chatting with them now
You mean on the root of the pages.dev?
either the root pages.dev or the ltzs neither seem to expose CAAs for some reason
I'd fully expect to have them auto-exposed by CF
The docs say though pretty clearly
Cloudflare adds CAA records automatically in two situations: When you have Universal SSL or advanced certificates and add any CAA records to your zone. When you have Universal SSL enabled and enable AMP Real URL or SXG Signed Exchanges.
huh, til - that's weird situations to add them
I thought adding your own overrode CF
makes sense though. It's basically if you are using CF SSL + add any CAA records OR you use one of those features which require special cansignhttpexchanges flags
Even if they got added on the pages.dev (which might make sense for security/the fact it uses a limited set of authorities), since the cname is proxied by default it wouldn't do anything on custom domains
sure but for external dns (like here) it'd be helpful
@Chaika "Keeping in mind with Pages by default the Custom domain is proxied, meaning externally there's no cname visible and it'd just be subdomain and then root if none exists" I have an exteral DNS provider pointing to the CF pages domain name using a CNAME
ahh ok, then in this case what Walshy said would be helpful. But since there is no CAA records right now on the CNAME, you should be able to just define your own on the level(s) above (for example, on the root) and they'd be used
Note that this is def. not my field of expertise 😄
nor mine haha
But yeah, i think this is where you'll just need to add them
"But yeah, i think this is where you'll just need to add them"
it's a good FR for us to have them by default but not something I think we'll see short-term
On the external DNS provider right?
(we'd need buy in from dns & ssl teams to special case Pages and that's a whole thing)
yes
where you have your existing CAA record, add another one for GTS
GTS and Let's Encrypt right?
I think only those 2 are being used currently
you should only need GTS these days but let me verify you are on GTS
I did see we have GTS now but I also read somewhere certificates are issued for 90 days period?
yes
For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for each Cloudflare offering and for more details about the CAs features, limitations, and browser compatibility.
https://developers.cloudflare.com/ssl/reference/certificate-authorities/
So it's possible to move over from GTS to lets encrpyt after 90 days right?
yes you're using GTS right now
no
you'll stick to one CA unless we completely re-issue which won't happen (we've also moved majorily to GTS unless of a few special cases)
you can still add both GTS & LE for safety if you want though
Ah good to know, thanks for the quick help, really appreciate it!
Quick follow up question, can you confirm TCP is being used by CF to check the CNAME being set correctly: https://community.cloudflare.com/t/pages-custom-subdomain-cname-not-working/703060/2?u=jeroen.druwe?
If so I also need to align with our external team