Hello, If anyone is using cloudflare as there DNS provider and uses a CAA record please contact me? I atempted to do one on my other domain intending for only letsencrypt to be able to issue certificates for my domain, a dig check reveals many other providers that I didn't authorize. Obviously I did something wrong. Thanks. Dave. -- Sent from Mozilla Thunderbird 91.13.1
Hi. What record did you think you added and what is a Dig coming back with? Thanks. Andrew. -----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Wednesday, June 26, 2024 4:48 PM To: blind-sysadmins@lists.hodgsonfamily.org Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Cloudflare DNS Provider and CAA records? Hello, If anyone is using cloudflare as there DNS provider and uses a CAA record please contact me? I atempted to do one on my other domain intending for only letsencrypt to be able to issue certificates for my domain, a dig check reveals many other providers that I didn't authorize. Obviously I did something wrong. Thanks. Dave. -- Sent from Mozilla Thunderbird 91.13.1 _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Hello, Thanks for your reply. Here's what is in my Cloudflare record on there site: Type CAA name davemehler.com flags it has 0 with no way to edit tag allow only specific hostnames CA domain name letsencrypt.org That's what is in the record stuff I entered. On the main page it shows: CAA davemehler.com 0 issue letsencrypt.org and here's dig output, different order something is wrong: host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" host -t CAA davemehler.com davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "ssl.com" host -t CAA davemehler.com davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" Thanks. Dave. On 6/26/2024 11:53 AM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
What record did you think you added and what is a Dig coming back with?
Thanks. Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Wednesday, June 26, 2024 4:48 PM To: blind-sysadmins@lists.hodgsonfamily.org Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Cloudflare DNS Provider and CAA records?
Hello,
If anyone is using cloudflare as there DNS provider and uses a CAA record please contact me? I atempted to do one on my other domain intending for only letsencrypt to be able to issue certificates for my domain, a dig check reveals many other providers that I didn't authorize.
Obviously I did something wrong.
Thanks. Dave.
-- Sent from Mozilla Thunderbird 91.13.1 _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
-- Sent from Mozilla Thunderbird 91.13.1
On 26/6/24 13:14, David Mehler via Blind-sysadmins wrote:
davemehler.com 0 issue letsencrypt.org
This seems correct, and it's similar to mine (except that mine is hosted by my own DNS server).
and here's dig output, different order something is wrong:
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com"
[snip] It appears that there are default records created by your DNS service provider that you haven't deleted. Have you searched for an option to remove them? Alternatively, do they let you download, edit and upload a zone file?
Hello, Thanks. There's only the one CAA record shown. Thanks. Dave. On 6/26/2024 5:54 PM, Jason J.G. White via Blind-sysadmins wrote:
On 26/6/24 13:14, David Mehler via Blind-sysadmins wrote:
davemehler.com 0 issue letsencrypt.org
This seems correct, and it's similar to mine (except that mine is hosted by my own DNS server).
and here's dig output, different order something is wrong:
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com"
[snip]
It appears that there are default records created by your DNS service provider that you haven't deleted.
Have you searched for an option to remove them? Alternatively, do they let you download, edit and upload a zone file?
_______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
-- Sent from Mozilla Thunderbird 91.13.1
Hi. I'm seeing the same at this end using Dig. Did you read this article: https://developers.cloudflare.com/ssl/edge-certificates/caa-records/ CAA records added by Cloudflare Cloudflare adds CAA records automatically in two situations: When you have Universal SSL enabled and add any CAA records to your zone. When you have Universal SSL enabled and enable AMP Real URL or SXG Signed Exchanges. These records make sure Cloudflare can still issue Universal certificates on your behalf. If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using dig, you can see any existing CAA records, including those added by Cloudflare (replacing example.com with your own domain on Cloudflare): Sounds like that is what is happening here. Andrew. -----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Wednesday, June 26, 2024 6:15 PM To: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? Hello, Thanks for your reply. Here's what is in my Cloudflare record on there site: Type CAA name davemehler.com flags it has 0 with no way to edit tag allow only specific hostnames CA domain name letsencrypt.org That's what is in the record stuff I entered. On the main page it shows: CAA davemehler.com 0 issue letsencrypt.org and here's dig output, different order something is wrong: host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" host -t CAA davemehler.com davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "ssl.com" host -t CAA davemehler.com davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" Thanks. Dave. On 6/26/2024 11:53 AM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
What record did you think you added and what is a Dig coming back with?
Thanks. Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Wednesday, June 26, 2024 4:48 PM To: blind-sysadmins@lists.hodgsonfamily.org Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Cloudflare DNS Provider and CAA records?
Hello,
If anyone is using cloudflare as there DNS provider and uses a CAA record please contact me? I atempted to do one on my other domain intending for only letsencrypt to be able to issue certificates for my domain, a dig check reveals many other providers that I didn't authorize.
Obviously I did something wrong.
Thanks. Dave.
-- Sent from Mozilla Thunderbird 91.13.1 _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
-- Sent from Mozilla Thunderbird 91.13.1 _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Hello, Thanks that sounds like exactly what is happening. Now I'm off to confirm it and fix it. Thanks. Dave. On 6/26/2024 5:59 PM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
I'm seeing the same at this end using Dig. Did you read this article: https://developers.cloudflare.com/ssl/edge-certificates/caa-records/
CAA records added by Cloudflare Cloudflare adds CAA records automatically in two situations:
When you have Universal SSL enabled and add any CAA records to your zone. When you have Universal SSL enabled and enable AMP Real URL or SXG Signed Exchanges. These records make sure Cloudflare can still issue Universal certificates on your behalf.
If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using dig, you can see any existing CAA records, including those added by Cloudflare (replacing example.com with your own domain on Cloudflare):
Sounds like that is what is happening here.
Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Wednesday, June 26, 2024 6:15 PM To: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records?
Hello,
Thanks for your reply. Here's what is in my Cloudflare record on there site:
Type CAA name davemehler.com flags it has 0 with no way to edit tag allow only specific hostnames CA domain name letsencrypt.org
That's what is in the record stuff I entered. On the main page it shows:
CAA davemehler.com 0 issue letsencrypt.org
and here's dig output, different order something is wrong:
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "ssl.com"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com"
Thanks. Dave.
On 6/26/2024 11:53 AM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
What record did you think you added and what is a Dig coming back with?
Thanks. Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Wednesday, June 26, 2024 4:48 PM To: blind-sysadmins@lists.hodgsonfamily.org Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Cloudflare DNS Provider and CAA records?
Hello,
If anyone is using cloudflare as there DNS provider and uses a CAA record please contact me? I atempted to do one on my other domain intending for only letsencrypt to be able to issue certificates for my domain, a dig check reveals many other providers that I didn't authorize.
Obviously I did something wrong.
Thanks. Dave.
-- Sent from Mozilla Thunderbird 91.13.1 _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
-- Sent from Mozilla Thunderbird 91.13.1 _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
-- Sent from Mozilla Thunderbird 91.13.1
Hi. Hope you got it fixed. What are you using Cloudflare for? I'm thinking of moving my domains away from Gandi as I've seen a couple of things they are doing I don't like (for example charging extra for DNSSec support on the domains). When I worked for a large company we were seriously looking at using their content delivery network with their reverse proxy, but that certainly wasn't a free solution, though I think some of it is at consumer level pricing now. Andrew. -----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Thursday, June 27, 2024 12:39 AM To: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? Hello, Thanks that sounds like exactly what is happening. Now I'm off to confirm it and fix it. Thanks. Dave. On 6/26/2024 5:59 PM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
I'm seeing the same at this end using Dig. Did you read this article: https://developers.cloudflare.com/ssl/edge-certificates/caa-records/
CAA records added by Cloudflare Cloudflare adds CAA records automatically in two situations:
When you have Universal SSL enabled and add any CAA records to your zone. When you have Universal SSL enabled and enable AMP Real URL or SXG Signed Exchanges. These records make sure Cloudflare can still issue Universal certificates on your behalf.
If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using dig, you can see any existing CAA records, including those added by Cloudflare (replacing example.com with your own domain on Cloudflare):
Sounds like that is what is happening here.
Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Wednesday, June 26, 2024 6:15 PM To: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records?
Hello,
Thanks for your reply. Here's what is in my Cloudflare record on there site:
Type CAA name davemehler.com flags it has 0 with no way to edit tag allow only specific hostnames CA domain name letsencrypt.org
That's what is in the record stuff I entered. On the main page it shows:
CAA davemehler.com 0 issue letsencrypt.org
and here's dig output, different order something is wrong:
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "ssl.com"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com"
Thanks. Dave.
On 6/26/2024 11:53 AM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
What record did you think you added and what is a Dig coming back with?
Thanks. Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Wednesday, June 26, 2024 4:48 PM To: blind-sysadmins@lists.hodgsonfamily.org Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Cloudflare DNS Provider and CAA records?
Hello,
If anyone is using cloudflare as there DNS provider and uses a CAA record please contact me? I atempted to do one on my other domain intending for only letsencrypt to be able to issue certificates for my domain, a dig check reveals many other providers that I didn't authorize.
Obviously I did something wrong.
Thanks. Dave.
-- Sent from Mozilla Thunderbird 91.13.1 _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
-- Sent from Mozilla Thunderbird 91.13.1 _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
-- Sent from Mozilla Thunderbird 91.13.1 _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
On 1/7/24 18:14, Andrew Hodgson via Blind-sysadmins wrote:
I'm thinking of moving my domains away from Gandi as I've seen a couple of things they are doing I don't like (for example charging extra for DNSSec support on the domains).
That's interesting. My domains are with Gandi, and I haven't been charged extra yet for DNSSEC support? Is this a new policy? A quick search didn't locate it. In my case, I'm using my own primary nameserver, and not the Gandi nameservers, but I don't know whether that's relevant. What I've read elsewhere about Cloudflare is that their DNS registration prices are excellent, but you are required to use their nameservers (that is, you can't use your own). The latter limitation ruled them out for me.
Hi. I was talking about the Gandi DNS Security pack: https://docs.gandi.net/en/domain_names/domain_services/security_pack.html On an email it said it allowed configuration of DNSSec but I'm not sure whether that is correct after looking at the page. Andrew. -----Original Message----- From: Jason J.G. White via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 12:31 AM To: blind-sysadmins@lists.hodgsonfamily.org Cc: Jason J.G. White <jason@jasonjgw.net> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? On 1/7/24 18:14, Andrew Hodgson via Blind-sysadmins wrote:
I'm thinking of moving my domains away from Gandi as I've seen a couple of things they are doing I don't like (for example charging extra for DNSSec support on the domains).
That's interesting. My domains are with Gandi, and I haven't been charged extra yet for DNSSEC support? Is this a new policy? A quick search didn't locate it. In my case, I'm using my own primary nameserver, and not the Gandi nameservers, but I don't know whether that's relevant. What I've read elsewhere about Cloudflare is that their DNS registration prices are excellent, but you are required to use their nameservers (that is, you can't use your own). The latter limitation ruled them out for me. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Hi Andrew, You might want to look at someone like Open SRS for your domains. I currently host with them, but I am looking at unlimitedwebhosting.co.uk. I have several websites, but the down side to them, is you share an IP, which may impact performance a bit, but they are quite good. All the best Steve -----Original Message----- From: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 2:23 AM To: Mailing list for blind system administrators <blind-sysadmins@lists.hodgsonfamily.org> Cc: Andrew Hodgson <andrew@hodgson.io> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? Hi. I was talking about the Gandi DNS Security pack: https://docs.gandi.net/en/domain_names/domain_services/security_pack.html On an email it said it allowed configuration of DNSSec but I'm not sure whether that is correct after looking at the page. Andrew. -----Original Message----- From: Jason J.G. White via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 12:31 AM To: blind-sysadmins@lists.hodgsonfamily.org Cc: Jason J.G. White <jason@jasonjgw.net> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? On 1/7/24 18:14, Andrew Hodgson via Blind-sysadmins wrote:
I'm thinking of moving my domains away from Gandi as I've seen a couple of things they are doing I don't like (for example charging extra for DNSSec support on the domains).
That's interesting. My domains are with Gandi, and I haven't been charged extra yet for DNSSEC support? Is this a new policy? A quick search didn't locate it. In my case, I'm using my own primary nameserver, and not the Gandi nameservers, but I don't know whether that's relevant. What I've read elsewhere about Cloudflare is that their DNS registration prices are excellent, but you are required to use their nameservers (that is, you can't use your own). The latter limitation ruled them out for me. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Hi All, OpenSRS is owned and operated by Tucows. I am an authorized reseller. If I can ever be of assistance, feel free to let me know. Kind Regards, Billy -----Original Message----- From: Steve Nutt via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 4:09 AM To: 'Mailing list for blind system administrators' <blind-sysadmins@lists.hodgsonfamily.org> Cc: Steve Nutt <steve@comproom.co.uk> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? Hi Andrew, You might want to look at someone like Open SRS for your domains. I currently host with them, but I am looking at unlimitedwebhosting.co.uk. I have several websites, but the down side to them, is you share an IP, which may impact performance a bit, but they are quite good. All the best Steve -----Original Message----- From: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 2:23 AM To: Mailing list for blind system administrators <blind-sysadmins@lists.hodgsonfamily.org> Cc: Andrew Hodgson <andrew@hodgson.io> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? Hi. I was talking about the Gandi DNS Security pack: https://docs.gandi.net/en/domain_names/domain_services/security_pack.html On an email it said it allowed configuration of DNSSec but I'm not sure whether that is correct after looking at the page. Andrew. -----Original Message----- From: Jason J.G. White via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 12:31 AM To: blind-sysadmins@lists.hodgsonfamily.org Cc: Jason J.G. White <jason@jasonjgw.net> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? On 1/7/24 18:14, Andrew Hodgson via Blind-sysadmins wrote:
I'm thinking of moving my domains away from Gandi as I've seen a couple of things they are doing I don't like (for example charging extra for DNSSec support on the domains).
That's interesting. My domains are with Gandi, and I haven't been charged extra yet for DNSSEC support? Is this a new policy? A quick search didn't locate it. In my case, I'm using my own primary nameserver, and not the Gandi nameservers, but I don't know whether that's relevant. What I've read elsewhere about Cloudflare is that their DNS registration prices are excellent, but you are required to use their nameservers (that is, you can't use your own). The latter limitation ruled them out for me. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
So am I. ๐ All the best Steve -----Original Message----- From: Billy Irwin via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 12:32 PM To: Mailing list for blind system administrators <blind-sysadmins@lists.hodgsonfamily.org> Cc: Billy Irwin <billy.irwin@outlook.com> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? Hi All, OpenSRS is owned and operated by Tucows. I am an authorized reseller. If I can ever be of assistance, feel free to let me know. Kind Regards, Billy -----Original Message----- From: Steve Nutt via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 4:09 AM To: 'Mailing list for blind system administrators' <blind-sysadmins@lists.hodgsonfamily.org> Cc: Steve Nutt <steve@comproom.co.uk> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? Hi Andrew, You might want to look at someone like Open SRS for your domains. I currently host with them, but I am looking at unlimitedwebhosting.co.uk. I have several websites, but the down side to them, is you share an IP, which may impact performance a bit, but they are quite good. All the best Steve -----Original Message----- From: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 2:23 AM To: Mailing list for blind system administrators <blind-sysadmins@lists.hodgsonfamily.org> Cc: Andrew Hodgson <andrew@hodgson.io> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? Hi. I was talking about the Gandi DNS Security pack: https://docs.gandi.net/en/domain_names/domain_services/security_pack.html On an email it said it allowed configuration of DNSSec but I'm not sure whether that is correct after looking at the page. Andrew. -----Original Message----- From: Jason J.G. White via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 12:31 AM To: blind-sysadmins@lists.hodgsonfamily.org Cc: Jason J.G. White <jason@jasonjgw.net> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? On 1/7/24 18:14, Andrew Hodgson via Blind-sysadmins wrote:
I'm thinking of moving my domains away from Gandi as I've seen a couple of things they are doing I don't like (for example charging extra for DNSSec support on the domains).
That's interesting. My domains are with Gandi, and I haven't been charged extra yet for DNSSEC support? Is this a new policy? A quick search didn't locate it. In my case, I'm using my own primary nameserver, and not the Gandi nameservers, but I don't know whether that's relevant. What I've read elsewhere about Cloudflare is that their DNS registration prices are excellent, but you are required to use their nameservers (that is, you can't use your own). The latter limitation ruled them out for me. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Thatโs awesome Steve! Kind Regards, Billy -----Original Message----- From: Steve Nutt via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 7:33 AM To: 'Mailing list for blind system administrators' <blind-sysadmins@lists.hodgsonfamily.org> Cc: Steve Nutt <steve@comproom.co.uk> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? So am I. ๐ All the best Steve -----Original Message----- From: Billy Irwin via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 12:32 PM To: Mailing list for blind system administrators <blind-sysadmins@lists.hodgsonfamily.org> Cc: Billy Irwin <billy.irwin@outlook.com> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? Hi All, OpenSRS is owned and operated by Tucows. I am an authorized reseller. If I can ever be of assistance, feel free to let me know. Kind Regards, Billy -----Original Message----- From: Steve Nutt via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 4:09 AM To: 'Mailing list for blind system administrators' <blind-sysadmins@lists.hodgsonfamily.org> Cc: Steve Nutt <steve@comproom.co.uk> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? Hi Andrew, You might want to look at someone like Open SRS for your domains. I currently host with them, but I am looking at unlimitedwebhosting.co.uk. I have several websites, but the down side to them, is you share an IP, which may impact performance a bit, but they are quite good. All the best Steve -----Original Message----- From: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 2:23 AM To: Mailing list for blind system administrators <blind-sysadmins@lists.hodgsonfamily.org> Cc: Andrew Hodgson <andrew@hodgson.io> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? Hi. I was talking about the Gandi DNS Security pack: https://docs.gandi.net/en/domain_names/domain_services/security_pack.html On an email it said it allowed configuration of DNSSec but I'm not sure whether that is correct after looking at the page. Andrew. -----Original Message----- From: Jason J.G. White via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 12:31 AM To: blind-sysadmins@lists.hodgsonfamily.org Cc: Jason J.G. White <jason@jasonjgw.net> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? On 1/7/24 18:14, Andrew Hodgson via Blind-sysadmins wrote:
I'm thinking of moving my domains away from Gandi as I've seen a couple of things they are doing I don't like (for example charging extra for DNSSec support on the domains).
That's interesting. My domains are with Gandi, and I haven't been charged extra yet for DNSSEC support? Is this a new policy? A quick search didn't locate it. In my case, I'm using my own primary nameserver, and not the Gandi nameservers, but I don't know whether that's relevant. What I've read elsewhere about Cloudflare is that their DNS registration prices are excellent, but you are required to use their nameservers (that is, you can't use your own). The latter limitation ruled them out for me. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Hello, Thank you for your reply. Yes I did get it fixed, I had to turn off some cloudflare settings so it didn't make the extra records deleted and recreated the CAA record and it is now working. I'm using Cloudflare for hosting my domains pointing them to my vps. I rather like them, they have really cut my costs. Thanks. Dave. On 7/1/2024 6:14 PM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
Hope you got it fixed. What are you using Cloudflare for? I'm thinking of moving my domains away from Gandi as I've seen a couple of things they are doing I don't like (for example charging extra for DNSSec support on the domains). When I worked for a large company we were seriously looking at using their content delivery network with their reverse proxy, but that certainly wasn't a free solution, though I think some of it is at consumer level pricing now.
Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Thursday, June 27, 2024 12:39 AM To: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records?
Hello,
Thanks that sounds like exactly what is happening. Now I'm off to confirm it and fix it.
Thanks. Dave.
On 6/26/2024 5:59 PM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
I'm seeing the same at this end using Dig. Did you read this article: https://developers.cloudflare.com/ssl/edge-certificates/caa-records/
CAA records added by Cloudflare Cloudflare adds CAA records automatically in two situations:
When you have Universal SSL enabled and add any CAA records to your zone. When you have Universal SSL enabled and enable AMP Real URL or SXG Signed Exchanges. These records make sure Cloudflare can still issue Universal certificates on your behalf.
If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using dig, you can see any existing CAA records, including those added by Cloudflare (replacing example.com with your own domain on Cloudflare):
Sounds like that is what is happening here.
Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Wednesday, June 26, 2024 6:15 PM To: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records?
Hello,
Thanks for your reply. Here's what is in my Cloudflare record on there site:
Type CAA name davemehler.com flags it has 0 with no way to edit tag allow only specific hostnames CA domain name letsencrypt.org
That's what is in the record stuff I entered. On the main page it shows:
CAA davemehler.com 0 issue letsencrypt.org
and here's dig output, different order something is wrong:
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "ssl.com"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com"
Thanks. Dave.
On 6/26/2024 11:53 AM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
What record did you think you added and what is a Dig coming back with?
Thanks. Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Wednesday, June 26, 2024 4:48 PM To: blind-sysadmins@lists.hodgsonfamily.org Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Cloudflare DNS Provider and CAA records?
Hello,
If anyone is using cloudflare as there DNS provider and uses a CAA record please contact me? I atempted to do one on my other domain intending for only letsencrypt to be able to issue certificates for my domain, a dig check reveals many other providers that I didn't authorize.
Obviously I did something wrong.
Thanks. Dave.
-- Sent from Mozilla Thunderbird 91.13.1 _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org -- Sent from Mozilla Thunderbird 91.13.1
Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org -- Sent from Mozilla Thunderbird 91.13.1
Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Hi. How have they cut your costs exactly? Andrew. -----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Tuesday, July 2, 2024 2:29 AM To: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records? Hello, Thank you for your reply. Yes I did get it fixed, I had to turn off some cloudflare settings so it didn't make the extra records deleted and recreated the CAA record and it is now working. I'm using Cloudflare for hosting my domains pointing them to my vps. I rather like them, they have really cut my costs. Thanks. Dave. On 7/1/2024 6:14 PM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
Hope you got it fixed. What are you using Cloudflare for? I'm thinking of moving my domains away from Gandi as I've seen a couple of things they are doing I don't like (for example charging extra for DNSSec support on the domains). When I worked for a large company we were seriously looking at using their content delivery network with their reverse proxy, but that certainly wasn't a free solution, though I think some of it is at consumer level pricing now.
Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Thursday, June 27, 2024 12:39 AM To: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records?
Hello,
Thanks that sounds like exactly what is happening. Now I'm off to confirm it and fix it.
Thanks. Dave.
On 6/26/2024 5:59 PM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
I'm seeing the same at this end using Dig. Did you read this article: https://developers.cloudflare.com/ssl/edge-certificates/caa-records/
CAA records added by Cloudflare Cloudflare adds CAA records automatically in two situations:
When you have Universal SSL enabled and add any CAA records to your zone. When you have Universal SSL enabled and enable AMP Real URL or SXG Signed Exchanges. These records make sure Cloudflare can still issue Universal certificates on your behalf.
If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using dig, you can see any existing CAA records, including those added by Cloudflare (replacing example.com with your own domain on Cloudflare):
Sounds like that is what is happening here.
Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Wednesday, June 26, 2024 6:15 PM To: Andrew Hodgson via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Re: Cloudflare DNS Provider and CAA records?
Hello,
Thanks for your reply. Here's what is in my Cloudflare record on there site:
Type CAA name davemehler.com flags it has 0 with no way to edit tag allow only specific hostnames CA domain name letsencrypt.org
That's what is in the record stuff I entered. On the main page it shows:
CAA davemehler.com 0 issue letsencrypt.org
and here's dig output, different order something is wrong:
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "comodoca.com" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "ssl.com"
host -t CAA davemehler.com davemehler.com has CAA record 0 issue "letsencrypt.org" davemehler.com has CAA record 0 issue "comodoca.com" davemehler.com has CAA record 0 issuewild "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "letsencrypt.org" davemehler.com has CAA record 0 issuewild "ssl.com" davemehler.com has CAA record 0 issue "digicert.com; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issue "ssl.com" davemehler.com has CAA record 0 issuewild "pki.goog; cansignhttpexchanges=yes" davemehler.com has CAA record 0 issuewild "comodoca.com"
Thanks. Dave.
On 6/26/2024 11:53 AM, Andrew Hodgson via Blind-sysadmins wrote:
Hi.
What record did you think you added and what is a Dig coming back with?
Thanks. Andrew.
-----Original Message----- From: David Mehler via Blind-sysadmins <blind-sysadmins@lists.hodgsonfamily.org> Sent: Wednesday, June 26, 2024 4:48 PM To: blind-sysadmins@lists.hodgsonfamily.org Cc: David Mehler <dave.mehler@gmail.com> Subject: [Blind-sysadmins] Cloudflare DNS Provider and CAA records?
Hello,
If anyone is using cloudflare as there DNS provider and uses a CAA record please contact me? I atempted to do one on my other domain intending for only letsencrypt to be able to issue certificates for my domain, a dig check reveals many other providers that I didn't authorize.
Obviously I did something wrong.
Thanks. Dave.
-- Sent from Mozilla Thunderbird 91.13.1 _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org -- Sent from Mozilla Thunderbird 91.13.1
Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org -- Sent from Mozilla Thunderbird 91.13.1
Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
participants (5)
-
Andrew Hodgson -
Billy Irwin -
David Mehler -
Jason J.G. White -
Steve Nutt