Create CAA record on a free plan? (pointed to as CNAME)

I've red following information at https://sslmate.com/caa/about: "If a domain name is a CNAME (also known as an alias) for another domain, then the certificate authority looks for the CAA record set at the CNAME target (just like any other DNS lookup). If no CAA record set is found, the certificate authority continues searching parent domains of the original domain name. For example, if blog.example.com is a CNAME for blogprovider.example, then the certificate authority looks for CAA record sets in the following order: - blogprovider.example - example.com" In my scenario my own pages app doesn't seem to specify any CAA records, which I find odd, I would have expected some to be present as mentioned at: https://developers.cloudflare.com/ssl/edge-certificates/caa-records/#caa-records-added-by-cloudflare: "Cloudflare adds CAA records automatically in two situations: When you have Universal SSL or advanced certificates and add any CAA records to your zone. When you have Universal SSL enabled and enable AMP Real URL or SXG Signed Exchanges." 1) Isn't CF pages using universal SSL behind the scenes? 2) Is there a way for me to create CAA records on a free plan?
24 Replies
Chaika
Chaika•4mo ago
hen the certificate authority looks for the CAA record set at the CNAME target (just like any other DNS lookup)
Keeping in mind with Pages by default the Custom domain is proxied, meaning externally there's no cname visible and it'd just be subdomain and then root if none exists
In my scenario my own pages app doesn't seem to specify any CAA records, which I find odd, I would have expected some to be present as mentioned at:
I don't get how that's odd when it states they're only added in two situations
1) Isn't CF pages using universal SSL behind the scenes?
The pages.dev uses Universal, Pages Custom Domains use CF For SaaS SSL
2) Is there a way for me to create CAA records on a free plan?
Yea you just create them on your zone as normal, and as the docs you linked say, the second you create one of your own CF will invisiblity start serving their own CAA records to ensure you can't break universal ssl/itself
Walshy
Walshy•4mo ago
I've been following the topic on the forums and chatting to a few MVPs about it now We should have CAAs there afaik, I'm not fully sure why we don't and this is not my area of expertise. Others would know more so chatting with them now
Chaika
Chaika•4mo ago
You mean on the root of the pages.dev?
Walshy
Walshy•4mo ago
either the root pages.dev or the ltzs neither seem to expose CAAs for some reason
$ dig CAA +short test-dcz.pages.dev
$ dig CAA +short pages.dev
$ dig CAA +short walshy.dev
0 issuewild "comodoca.com"
0 issue "letsencrypt.org"
0 issuewild "ssl.com"
0 issuewild "letsencrypt.org"
0 issue "comodoca.com"
0 issue "ssl.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issuewild "pki.goog; cansignhttpexchanges=yes"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issue "pki.goog; cansignhttpexchanges=yes"
$ dig CAA +short test-dcz.pages.dev
$ dig CAA +short pages.dev
$ dig CAA +short walshy.dev
0 issuewild "comodoca.com"
0 issue "letsencrypt.org"
0 issuewild "ssl.com"
0 issuewild "letsencrypt.org"
0 issue "comodoca.com"
0 issue "ssl.com"
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issuewild "pki.goog; cansignhttpexchanges=yes"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
0 issue "pki.goog; cansignhttpexchanges=yes"
I'd fully expect to have them auto-exposed by CF
Chaika
Chaika•4mo ago
The docs say though pretty clearly
Cloudflare adds CAA records automatically in two situations: When you have Universal SSL or advanced certificates and add any CAA records to your zone. When you have Universal SSL enabled and enable AMP Real URL or SXG Signed Exchanges.
Walshy
Walshy•4mo ago
huh, til - that's weird situations to add them I thought adding your own overrode CF
Chaika
Chaika•4mo ago
makes sense though. It's basically if you are using CF SSL + add any CAA records OR you use one of those features which require special cansignhttpexchanges flags Even if they got added on the pages.dev (which might make sense for security/the fact it uses a limited set of authorities), since the cname is proxied by default it wouldn't do anything on custom domains
Walshy
Walshy•4mo ago
sure but for external dns (like here) it'd be helpful
jdruwe
jdruweOP•4mo ago
@Chaika "Keeping in mind with Pages by default the Custom domain is proxied, meaning externally there's no cname visible and it'd just be subdomain and then root if none exists" I have an exteral DNS provider pointing to the CF pages domain name using a CNAME
jdruwe
jdruweOP•4mo ago
No description
Chaika
Chaika•4mo ago
ahh ok, then in this case what Walshy said would be helpful. But since there is no CAA records right now on the CNAME, you should be able to just define your own on the level(s) above (for example, on the root) and they'd be used
jdruwe
jdruweOP•4mo ago
Note that this is def. not my field of expertise 😄
Walshy
Walshy•4mo ago
nor mine haha But yeah, i think this is where you'll just need to add them
jdruwe
jdruweOP•4mo ago
"But yeah, i think this is where you'll just need to add them"
Walshy
Walshy•4mo ago
it's a good FR for us to have them by default but not something I think we'll see short-term
jdruwe
jdruweOP•4mo ago
On the external DNS provider right?
Walshy
Walshy•4mo ago
(we'd need buy in from dns & ssl teams to special case Pages and that's a whole thing) yes where you have your existing CAA record, add another one for GTS
jdruwe
jdruweOP•4mo ago
GTS and Let's Encrypt right? I think only those 2 are being used currently
Walshy
Walshy•4mo ago
you should only need GTS these days but let me verify you are on GTS
jdruwe
jdruweOP•4mo ago
I did see we have GTS now but I also read somewhere certificates are issued for 90 days period?
Walshy
Walshy•4mo ago
yes
jdruwe
jdruweOP•4mo ago
For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for each Cloudflare offering and for more details about the CAs features, limitations, and browser compatibility. https://developers.cloudflare.com/ssl/reference/certificate-authorities/ So it's possible to move over from GTS to lets encrpyt after 90 days right?
Walshy
Walshy•4mo ago
yes you're using GTS right now no you'll stick to one CA unless we completely re-issue which won't happen (we've also moved majorily to GTS unless of a few special cases) you can still add both GTS & LE for safety if you want though
jdruwe
jdruweOP•4mo ago
Ah good to know, thanks for the quick help, really appreciate it! Quick follow up question, can you confirm TCP is being used by CF to check the CNAME being set correctly: https://community.cloudflare.com/t/pages-custom-subdomain-cname-not-working/703060/2?u=jeroen.druwe? If so I also need to align with our external team
Want results from more Discord servers?
Add your server