Can I create a CAA record for all sub-domainsCan you reference a CNAME record in an MX record?Can I have an MX record for a 3rd level domain?Issue getting DNS wild card A Record (*) workingFor DNS and SSL do I need a separate certificate for every (DNS RR) A record?Where should CAA issuer IDs be obtained from and how should they be validated?Why not validate self signed certificates through DNS-record instead of letsencryptHTTPS GitHub Pages DNS to Enforce SSLHow to create a sub-domain pointing to a name serverSpecific sub-domain of DNS A record wildcard (*) doesn't workHow to add CAA records, in PowerAdmin(PowerDNS) for ssl certificates in letsencrypt?
3D nonogram – Name the object
Details of video memory access arbitration in Space Invaders
Could human civilization live 150 years in a nuclear-powered aircraft carrier colony without resorting to mass killing/ cannibalism?
Should I report a leak of confidential HR information?
Can a Federation colony become a member world?
What does BSCT stand for?
I'm reinstalling my Linux desktop, how do I keep SSH logins working?
What's the safest way to inform a new user of their password on my web site?
Prime parity peregrination
What could a reptilian race tell by candling their eggs?
How to expand abbrevs without hitting another extra key?
Acceleration in Circular motion
Questions about authorship rank and academic politics
Most elegant way to write a one shot IF
Could a Weapon of Mass Destruction, targeting only humans, be developed?
Can I create a CAA record for all sub-domains
Can Access Fault Exceptions of the MC68040 caused by internal access faults occur in normal situations?
Different budgets within roommate group
Does Anosov geodesic flow imply asphericity?
Is there a way for presidents to legally extend their terms beyond the maximum of four years?
Is it bad to describe a character long after their introduction?
Skipping over failed imports until they are needed (if ever)
Who are these Discworld wizards from this picture?
Way to find when system health file is rolling over
Can I create a CAA record for all sub-domains
Can you reference a CNAME record in an MX record?Can I have an MX record for a 3rd level domain?Issue getting DNS wild card A Record (*) workingFor DNS and SSL do I need a separate certificate for every (DNS RR) A record?Where should CAA issuer IDs be obtained from and how should they be validated?Why not validate self signed certificates through DNS-record instead of letsencryptHTTPS GitHub Pages DNS to Enforce SSLHow to create a sub-domain pointing to a name serverSpecific sub-domain of DNS A record wildcard (*) doesn't workHow to add CAA records, in PowerAdmin(PowerDNS) for ssl certificates in letsencrypt?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Our main web site uses HTTPS certificates issued by comodo. So we have two CAA records like this:
@ CAA 0 issue "comodo.com"
www CAA 0 issue "comodo.com"
And we have multiple sub-domains with HTTPS certificates served by letsencrypt. Example CAA records like:
test1 CAA 0 issue "letsencrypt.org"
test2 CAA 0 issue "letsencrypt.org"
other CAA 0 issue "letsencrypt.org"
At the moment, when we have a new sub-domain, besides an A-record I also have to create a new CAA record. Can't I have a wild-card as sub-domain name, like this?
* CAA 0 issue "letsencrypt.org"
(I've tested this, but it doesn't work)
For the record: I'm not talking about wild-card domain certificates.
domain-name-system
asked 9 hours ago
doekmandoekman
1166 bronze badges
add a comment |
Our main web site uses HTTPS certificates issued by comodo. So we have two CAA records like this:
@ CAA 0 issue "comodo.com"
www CAA 0 issue "comodo.com"
And we have multiple sub-domains with HTTPS certificates served by letsencrypt. Example CAA records like:
test1 CAA 0 issue "letsencrypt.org"
test2 CAA 0 issue "letsencrypt.org"
other CAA 0 issue "letsencrypt.org"
At the moment, when we have a new sub-domain, besides an A-record I also have to create a new CAA record. Can't I have a wild-card as sub-domain name, like this?
* CAA 0 issue "letsencrypt.org"
(I've tested this, but it doesn't work)
For the record: I'm not talking about wild-card domain certificates.
domain-name-system
asked 9 hours ago
doekmandoekman
1166 bronze badges
What errors are you getting from the CAA wildcard? It kinda looks like it should work.
– Zoredache
8 hours ago
add a comment |
Our main web site uses HTTPS certificates issued by comodo. So we have two CAA records like this:
@ CAA 0 issue "comodo.com"
www CAA 0 issue "comodo.com"
And we have multiple sub-domains with HTTPS certificates served by letsencrypt. Example CAA records like:
test1 CAA 0 issue "letsencrypt.org"
test2 CAA 0 issue "letsencrypt.org"
other CAA 0 issue "letsencrypt.org"
At the moment, when we have a new sub-domain, besides an A-record I also have to create a new CAA record. Can't I have a wild-card as sub-domain name, like this?
* CAA 0 issue "letsencrypt.org"
(I've tested this, but it doesn't work)
For the record: I'm not talking about wild-card domain certificates.
domain-name-system
asked 9 hours ago
doekmandoekman
1166 bronze badges
Our main web site uses HTTPS certificates issued by comodo. So we have two CAA records like this:
@ CAA 0 issue "comodo.com"
www CAA 0 issue "comodo.com"
And we have multiple sub-domains with HTTPS certificates served by letsencrypt. Example CAA records like:
test1 CAA 0 issue "letsencrypt.org"
test2 CAA 0 issue "letsencrypt.org"
other CAA 0 issue "letsencrypt.org"
At the moment, when we have a new sub-domain, besides an A-record I also have to create a new CAA record. Can't I have a wild-card as sub-domain name, like this?
* CAA 0 issue "letsencrypt.org"
(I've tested this, but it doesn't work)
For the record: I'm not talking about wild-card domain certificates.
domain-name-system
domain-name-system
asked 9 hours ago
doekmandoekman
1166 bronze badges
asked 9 hours ago
doekmandoekman
1166 bronze badges
asked 9 hours ago
doekmandoekman
1166 bronze badges
asked 9 hours ago
doekmandoekman
1166 bronze badges
asked 9 hours ago
doekmandoekman
1166 bronze badges
1166 bronze badges
What errors are you getting from the CAA wildcard? It kinda looks like it should work.
– Zoredache
8 hours ago
add a comment |
What errors are you getting from the CAA wildcard? It kinda looks like it should work.
– Zoredache
8 hours ago
What errors are you getting from the CAA wildcard? It kinda looks like it should work.
– Zoredache
8 hours ago
What errors are you getting from the CAA wildcard? It kinda looks like it should work.
– Zoredache
8 hours ago
add a comment |
2 Answers
2
active
oldest
votes
Technically, it's certainly possible to have a wildcard CAA record (and it does "work").
However, the way wildcards in DNS are defined, this is probably not actually useful for your use-case as a wildcard only applies to names in branches that do not exist.
Presumably you have at least address records (A/AAAA) for all these names that you want to get certificates for, and by having those address records in place the wildcard no longer applies there. So wildcards are almost certainly a no-go for what you want to do.
I think what you will want to do is either add CAA records for all these names or live with a less strict policy on the level above (ie, comodo + letsencrypt in your example) and make use of the built-in policy inheritance in the CAA spec.
answered 7 hours ago
Håkan LindqvistHåkan Lindqvist
22.9k4 gold badges37 silver badges62 bronze badges
add a comment |
CAA records are inherited by subdomains - you do not need to publish them under subdomains, as pointed out by Håkan Lindqvist. Ignoring subdomains, you can have multiple CAA records at your domain, e.g.
@ CAA 0 issue "comodo.com"
@ CAA 0 issue "letsencrypt"
issuewild is the context you are looking for IF you want to authorise letsencrypt to issue wildcard certs, e.g.
@ CAA 0 issuewild "comodo.com"
@ CAA 0 issuewild "letsencrypt"
Personally I only publish one CAA record at my domain, I do not publish them for subdomains, and I use non-wildcard letsencrypt certificates for subdomains without issue.
P.S. Wildcard DNS records only resolve for subdomains that DO NOT exist, which is commonly misunderstood.
This is what Håkan Lindqvist was saying when he mentioned that. Inheritance enables you to use @ CAA
instead of * CAA.
edited 51 mins ago
Esa Jokinen
25k2 gold badges36 silver badges62 bronze badges
answered 7 hours ago
Allan WallaceAllan Wallace
713 bronze badges
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f972720%2fcan-i-create-a-caa-record-for-all-sub-domains%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Technically, it's certainly possible to have a wildcard CAA record (and it does "work").
However, the way wildcards in DNS are defined, this is probably not actually useful for your use-case as a wildcard only applies to names in branches that do not exist.
Presumably you have at least address records (A/AAAA) for all these names that you want to get certificates for, and by having those address records in place the wildcard no longer applies there. So wildcards are almost certainly a no-go for what you want to do.
I think what you will want to do is either add CAA records for all these names or live with a less strict policy on the level above (ie, comodo + letsencrypt in your example) and make use of the built-in policy inheritance in the CAA spec.
answered 7 hours ago
Håkan LindqvistHåkan Lindqvist
22.9k4 gold badges37 silver badges62 bronze badges
add a comment |
Technically, it's certainly possible to have a wildcard CAA record (and it does "work").
However, the way wildcards in DNS are defined, this is probably not actually useful for your use-case as a wildcard only applies to names in branches that do not exist.
Presumably you have at least address records (A/AAAA) for all these names that you want to get certificates for, and by having those address records in place the wildcard no longer applies there. So wildcards are almost certainly a no-go for what you want to do.
I think what you will want to do is either add CAA records for all these names or live with a less strict policy on the level above (ie, comodo + letsencrypt in your example) and make use of the built-in policy inheritance in the CAA spec.
answered 7 hours ago
Håkan LindqvistHåkan Lindqvist
22.9k4 gold badges37 silver badges62 bronze badges
add a comment |
Technically, it's certainly possible to have a wildcard CAA record (and it does "work").
However, the way wildcards in DNS are defined, this is probably not actually useful for your use-case as a wildcard only applies to names in branches that do not exist.
Presumably you have at least address records (A/AAAA) for all these names that you want to get certificates for, and by having those address records in place the wildcard no longer applies there. So wildcards are almost certainly a no-go for what you want to do.
I think what you will want to do is either add CAA records for all these names or live with a less strict policy on the level above (ie, comodo + letsencrypt in your example) and make use of the built-in policy inheritance in the CAA spec.
answered 7 hours ago
Håkan LindqvistHåkan Lindqvist
22.9k4 gold badges37 silver badges62 bronze badges
Technically, it's certainly possible to have a wildcard CAA record (and it does "work").
However, the way wildcards in DNS are defined, this is probably not actually useful for your use-case as a wildcard only applies to names in branches that do not exist.
Presumably you have at least address records (A/AAAA) for all these names that you want to get certificates for, and by having those address records in place the wildcard no longer applies there. So wildcards are almost certainly a no-go for what you want to do.
I think what you will want to do is either add CAA records for all these names or live with a less strict policy on the level above (ie, comodo + letsencrypt in your example) and make use of the built-in policy inheritance in the CAA spec.
answered 7 hours ago
Håkan LindqvistHåkan Lindqvist
22.9k4 gold badges37 silver badges62 bronze badges
answered 7 hours ago
Håkan LindqvistHåkan Lindqvist
22.9k4 gold badges37 silver badges62 bronze badges
answered 7 hours ago
Håkan LindqvistHåkan Lindqvist
22.9k4 gold badges37 silver badges62 bronze badges
answered 7 hours ago
Håkan LindqvistHåkan Lindqvist
22.9k4 gold badges37 silver badges62 bronze badges
22.9k4 gold badges37 silver badges62 bronze badges
add a comment |
add a comment |
CAA records are inherited by subdomains - you do not need to publish them under subdomains, as pointed out by Håkan Lindqvist. Ignoring subdomains, you can have multiple CAA records at your domain, e.g.
@ CAA 0 issue "comodo.com"
@ CAA 0 issue "letsencrypt"
issuewild is the context you are looking for IF you want to authorise letsencrypt to issue wildcard certs, e.g.
@ CAA 0 issuewild "comodo.com"
@ CAA 0 issuewild "letsencrypt"
Personally I only publish one CAA record at my domain, I do not publish them for subdomains, and I use non-wildcard letsencrypt certificates for subdomains without issue.
P.S. Wildcard DNS records only resolve for subdomains that DO NOT exist, which is commonly misunderstood.
This is what Håkan Lindqvist was saying when he mentioned that. Inheritance enables you to use @ CAA
instead of * CAA.
edited 51 mins ago
Esa Jokinen
25k2 gold badges36 silver badges62 bronze badges
answered 7 hours ago
Allan WallaceAllan Wallace
713 bronze badges
add a comment |
CAA records are inherited by subdomains - you do not need to publish them under subdomains, as pointed out by Håkan Lindqvist. Ignoring subdomains, you can have multiple CAA records at your domain, e.g.
@ CAA 0 issue "comodo.com"
@ CAA 0 issue "letsencrypt"
issuewild is the context you are looking for IF you want to authorise letsencrypt to issue wildcard certs, e.g.
@ CAA 0 issuewild "comodo.com"
@ CAA 0 issuewild "letsencrypt"
Personally I only publish one CAA record at my domain, I do not publish them for subdomains, and I use non-wildcard letsencrypt certificates for subdomains without issue.
P.S. Wildcard DNS records only resolve for subdomains that DO NOT exist, which is commonly misunderstood.
This is what Håkan Lindqvist was saying when he mentioned that. Inheritance enables you to use @ CAA
instead of * CAA.
edited 51 mins ago
Esa Jokinen
25k2 gold badges36 silver badges62 bronze badges
answered 7 hours ago
Allan WallaceAllan Wallace
713 bronze badges
add a comment |
CAA records are inherited by subdomains - you do not need to publish them under subdomains, as pointed out by Håkan Lindqvist. Ignoring subdomains, you can have multiple CAA records at your domain, e.g.
@ CAA 0 issue "comodo.com"
@ CAA 0 issue "letsencrypt"
issuewild is the context you are looking for IF you want to authorise letsencrypt to issue wildcard certs, e.g.
@ CAA 0 issuewild "comodo.com"
@ CAA 0 issuewild "letsencrypt"
Personally I only publish one CAA record at my domain, I do not publish them for subdomains, and I use non-wildcard letsencrypt certificates for subdomains without issue.
P.S. Wildcard DNS records only resolve for subdomains that DO NOT exist, which is commonly misunderstood.
This is what Håkan Lindqvist was saying when he mentioned that. Inheritance enables you to use @ CAA
instead of * CAA.
edited 51 mins ago
Esa Jokinen
25k2 gold badges36 silver badges62 bronze badges
answered 7 hours ago
Allan WallaceAllan Wallace
713 bronze badges
CAA records are inherited by subdomains - you do not need to publish them under subdomains, as pointed out by Håkan Lindqvist. Ignoring subdomains, you can have multiple CAA records at your domain, e.g.
@ CAA 0 issue "comodo.com"
@ CAA 0 issue "letsencrypt"
issuewild is the context you are looking for IF you want to authorise letsencrypt to issue wildcard certs, e.g.
@ CAA 0 issuewild "comodo.com"
@ CAA 0 issuewild "letsencrypt"
Personally I only publish one CAA record at my domain, I do not publish them for subdomains, and I use non-wildcard letsencrypt certificates for subdomains without issue.
P.S. Wildcard DNS records only resolve for subdomains that DO NOT exist, which is commonly misunderstood.
This is what Håkan Lindqvist was saying when he mentioned that. Inheritance enables you to use @ CAA
instead of * CAA.
edited 51 mins ago
Esa Jokinen
25k2 gold badges36 silver badges62 bronze badges
answered 7 hours ago
Allan WallaceAllan Wallace
713 bronze badges
edited 51 mins ago
Esa Jokinen
25k2 gold badges36 silver badges62 bronze badges
edited 51 mins ago
Esa Jokinen
25k2 gold badges36 silver badges62 bronze badges
edited 51 mins ago
Esa Jokinen
25k2 gold badges36 silver badges62 bronze badges
25k2 gold badges36 silver badges62 bronze badges
answered 7 hours ago
Allan WallaceAllan Wallace
713 bronze badges
answered 7 hours ago
Allan WallaceAllan Wallace
713 bronze badges
answered 7 hours ago
Allan WallaceAllan Wallace
713 bronze badges
713 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f972720%2fcan-i-create-a-caa-record-for-all-sub-domains%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What errors are you getting from the CAA wildcard? It kinda looks like it should work.
– Zoredache
8 hours ago