[Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records?

26 Jun 2024

      Hi.

I'm seeing the same at this end using Dig. Did you read this article: https://developers.cloudflare.com/ssl/edge-certificates/caa-records/

CAA records added by Cloudflare
Cloudflare adds CAA records automatically in two situations:

When you have Universal SSL enabled and add any CAA records to your zone.
When you have Universal SSL enabled and enable AMP Real URL or SXG Signed Exchanges.
These records make sure Cloudflare can still issue Universal certificates on your behalf.

If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using dig, you can see any existing CAA records, including those added by Cloudflare (replacing example.com with your own domain on Cloudflare):

Sounds like that is what is happening here.

Andrew.

-----Original Message-----
From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> 
Sent: Wednesday, June 26, 2024 6:15 PM
To: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org>
Cc: David Mehler <dave.mehler@gmail.com>
Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records?

Hello,

Thanks for your reply. Here's what is in my Cloudflare record on there site:

Type CAA
name davemehler.com
flags it has 0 with no way to edit
tag allow only specific hostnames
CA domain name letsencrypt.org

That's what is in the record stuff I entered. On the main page it shows:

CAA
davemehler.com
0 issue letsencrypt.org

and here's dig output, different order something is wrong:

host -t CAA davemehler.com
davemehler.com has CAA record 0 issue "ssl.com"
davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issuewild "comodoca.com"
davemehler.com has CAA record 0 issue "letsencrypt.org"
davemehler.com has CAA record 0 issuewild "ssl.com"
davemehler.com has CAA record 0 issuewild "letsencrypt.org"
davemehler.com has CAA record 0 issue "comodoca.com"
davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes"

host -t CAA davemehler.com
davemehler.com has CAA record 0 issue "letsencrypt.org"
davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issuewild "comodoca.com"
davemehler.com has CAA record 0 issue "comodoca.com"
davemehler.com has CAA record 0 issue "ssl.com"
davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issuewild "letsencrypt.org"
davemehler.com has CAA record 0 issuewild "ssl.com"

host -t CAA davemehler.com
davemehler.com has CAA record 0 issue "ssl.com"
davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issue "letsencrypt.org"
davemehler.com has CAA record 0 issue "comodoca.com"
davemehler.com has CAA record 0 issuewild "comodoca.com"
davemehler.com has CAA record 0 issuewild "letsencrypt.org"
davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issuewild "ssl.com"

host -t CAA davemehler.com
davemehler.com has CAA record 0 issue "letsencrypt.org"
davemehler.com has CAA record 0 issue "comodoca.com"
davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issuewild "letsencrypt.org"
davemehler.com has CAA record 0 issuewild "ssl.com"
davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issue "ssl.com"
davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes"
davemehler.com has CAA record 0 issuewild "comodoca.com"

Thanks.
Dave.

On 6/26/2024 11:53 AM, Andrew Hodgson via Blind-sysadmins wrote:
...
Hi.
What record did you think you added and what is a Dig coming back with?
Thanks.
Andrew.
-----Original Message-----
From: David Mehler via Blind-sysadmins 
<blind-sysadmins@lists.hodgsonfamily.org>
Sent: Wednesday, June 26, 2024 4:48 PM
To: blind-sysadmins@lists.hodgsonfamily.org
Cc: David Mehler <dave.mehler@gmail.com>
Subject: [Blind-sysadmins] Cloudflare DNS Provider and CAA records?
Hello,
If anyone is using cloudflare as there DNS provider and uses a CAA record please contact me? I atempted to do one on my other domain intending for only letsencrypt to be able to issue certificates for my domain, a dig check reveals many other providers that I didn't authorize.
Obviously I did something wrong.
Thanks.
Dave.
--
Sent from Mozilla Thunderbird 91.13.1
_______________________________________________
Blind-sysadmins mailing list -- 
blind-sysadmins@lists.hodgsonfamily.org
To unsubscribe send an email to 
blind-sysadmins-leave@lists.hodgsonfamily.org
_______________________________________________
Blind-sysadmins mailing list -- 
blind-sysadmins@lists.hodgsonfamily.org
To unsubscribe send an email to 
blind-sysadmins-leave@lists.hodgsonfamily.org
--
Sent from Mozilla Thunderbird 91.13.1
_______________________________________________
Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org
To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org