Hello, While this is at its core a DNS question, since it's about CAA records and cert issuance, I thought to post it here as well. If this is viewed as off-topic, my apologies.
It seems to me that the behavior in combination with CNAMEs is suboptimal at best. I believe we need to allow CAAs to be set on CNAMEs: Suppose you have example.com, intended to use for misc. internal services, such as yourinternaltickettracker.example.com, yourinternalcoderepository.example.com, and yourintranetcms.example.com. This allows your employees to easily access all internal services via a common domain, which makes a whole lot of sense. You set CAA records 'issue "your-preferred-ca"' on example.com, to ensure that only the CA you trust can issue certs. Now you create someapp.example.com, which is hosted by a third-party provider. Because it's 2019, they host their app on AWS, Azure, GCE, possibly adding a CDN, so someapp.example.com becomes IN CNAME someapp.thirdparty.com, which may have a CNAME record to e.g., mumblefumble.akamaiedge.net or ghs.googlehosted.com, or someapp.example.com.cdn.cloudflare.net or whatever. The third-party provider offers certificates (hooray!), and because it's easy, low cost, and low friction, they use Let's Encrypt (also hooray!). But LE can't issue a cert, because your CAA record on example.com doesn't include "letsencrypt.org". So what are your options? You're not going to get AWS, Azure, GCE, or the CDN in question to update their CAA records to allow LE for whatever the CNAME is. That's not scalable for them, and they're not going to add another CA to their second-level domain CAA records. Fair enough. You're also not going to get the 3rd-party to send you a CSR (and automate renewal), so you can use your preferred CA. (Also fair; this is not scalable either, and they're probably already overwhelmed by the whole cert business & just wanted to tick the "military grade encryption" checkbox on their offerings page.) You could create a new second-level domain for this particular app so that you can set the restrictive CAA record there, but then you're breaking the user experience of having all services under the same domain. So your only option is to add LE at the second-level domain name, example.com. But of course that applies to all names under that domain, present and future. LE can now issue certs for your misc. internal services, including those not hosted by a third-party provider. You did not want that, which is why you initially set the CAA records as you did. The only way I see around this would be to allow CAA RRs on CNAMEs, which (currently) violates RFC1912, Section 2.4. But per RFC2181, section 10.1, we already allow e.g. SIG, NXT, and KEY RRs on CNAMEs. Wouldn't it be prudent to also allow CAA records on a CNAME? -Jan _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy