Is CAA supported on Zoneedit?

Gruff

New Member
Hi

I have had a look through the control panel and cannot see if CAA is supported on Zoneedit?

blog.qualys.com slash ssllabs slash 2017 slash 03 slash 13 slash caa-mandated-by-cabrowser-forum

Replace slash with a slash symbol because the forum software thinks my post is spam!

Thanks
 

sandy neal

Administrator
Staff member
Hi there

I am sorry, CA records are not yet supported. We hope to have them available early this summer... late spring.

thanks
sandy
 

El.

Administrator
Staff member
Hello,

We are in the process of making this happen. Still no firm date, but it will be soon.
 

John Everett

New Member
Should CAA records be able to be created for hosts with a CNAME? When I try, I just get a submission validation error:
Host is already a CNAME

I don't seem to have any problem adding a CAA record for a host defined by an A or DYN record.

Thanks much
 

sandy neal

Administrator
Staff member
hi there:
CAA validation follows CNAMEs, like all other DNS requests. If www.community.example.com is a CNAME to web1.example.net, the CA will first request CAA records for www.community.example.com, then seeing that there is a CNAME for that domain name instead of CAA records, will request CAA records for web1.example.net instead. Note that if a domain name has a CNAME record, it is not allowed to have any other records according to the DNS standards.

from serverfault :)

thanb\ks
sandy
 

John Everett

New Member
Ah, thanks for the instructions. So, if someone has, for example:
CNAME website1 (pointing to a webhost)
and
CNAME website2 (also pointing to webhost)

and, on webhost, these two websites are handled by different vhosts using different certificates,
and website1 has a Let's Encrypt cert,
and website2 has a GoDaddy cert.

Would the proper CAA record(s) be two separate CAA records, e.g.:
CAA webhost LetsEncrypt
and
CAA webhost GoDaddy
(which if so, it seems like that would have the unintended consequence of allowing an additional CA for each CNAME domain)?
Or do multiple entries not work for some reason?

At any rate, in such cases, might be it better to avoid CNAME assignments for hosts where CAA is desired -- or just to stick to the same CA for all the certs on a host with CNAME records pointing to it?

Thanks again for your help.
 

sandy neal

Administrator
Staff member
CAA records must be created in the intended location of where the certificate will reside. Usually this is the root or a specific subdomain, not a CNAME forwarding to a different host.
 

sandy neal

Administrator
Staff member
as well... it's just one subdomain, and you have a wildcard certificate you can use the 'issuewild' option in the CAA record creation section.
 
Top