Can I create a CAA record for all sub-domainsCan you reference a CNAME record in an MX record?Can I have an MX record for a 3rd level domain?Issue getting DNS wild card A Record (*) workingFor DNS and SSL do I need a separate certificate for every (DNS RR) A record?Where should CAA issuer IDs be obtained from and how should they be validated?Why not validate self signed certificates through DNS-record instead of letsencryptHTTPS GitHub Pages DNS to Enforce SSLHow to create a sub-domain pointing to a name serverSpecific sub-domain of DNS A record wildcard (*) doesn't workHow to add CAA records, in PowerAdmin(PowerDNS) for ssl certificates in letsencrypt?

3D nonogram – Name the object

Details of video memory access arbitration in Space Invaders

Could human civilization live 150 years in a nuclear-powered aircraft carrier colony without resorting to mass killing/ cannibalism?

Should I report a leak of confidential HR information?

Can a Federation colony become a member world?

What does BSCT stand for?

I'm reinstalling my Linux desktop, how do I keep SSH logins working?

What's the safest way to inform a new user of their password on my web site?

Prime parity peregrination

What could a reptilian race tell by candling their eggs?

How to expand abbrevs without hitting another extra key?

Acceleration in Circular motion

Questions about authorship rank and academic politics

Most elegant way to write a one shot IF

Could a Weapon of Mass Destruction, targeting only humans, be developed?

Can I create a CAA record for all sub-domains

Can Access Fault Exceptions of the MC68040 caused by internal access faults occur in normal situations?

Different budgets within roommate group

Does Anosov geodesic flow imply asphericity?

Is there a way for presidents to legally extend their terms beyond the maximum of four years?

Is it bad to describe a character long after their introduction?

Skipping over failed imports until they are needed (if ever)

Who are these Discworld wizards from this picture?

Way to find when system health file is rolling over



Can I create a CAA record for all sub-domains


Can you reference a CNAME record in an MX record?Can I have an MX record for a 3rd level domain?Issue getting DNS wild card A Record (*) workingFor DNS and SSL do I need a separate certificate for every (DNS RR) A record?Where should CAA issuer IDs be obtained from and how should they be validated?Why not validate self signed certificates through DNS-record instead of letsencryptHTTPS GitHub Pages DNS to Enforce SSLHow to create a sub-domain pointing to a name serverSpecific sub-domain of DNS A record wildcard (*) doesn't workHow to add CAA records, in PowerAdmin(PowerDNS) for ssl certificates in letsencrypt?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















Our main web site uses HTTPS certificates issued by comodo. So we have two CAA records like this:



@ CAA 0 issue "comodo.com"
www CAA 0 issue "comodo.com"


And we have multiple sub-domains with HTTPS certificates served by letsencrypt. Example CAA records like:



test1 CAA 0 issue "letsencrypt.org"
test2 CAA 0 issue "letsencrypt.org"
other CAA 0 issue "letsencrypt.org"


At the moment, when we have a new sub-domain, besides an A-record I also have to create a new CAA record. Can't I have a wild-card as sub-domain name, like this?



* CAA 0 issue "letsencrypt.org"


(I've tested this, but it doesn't work)



For the record: I'm not talking about wild-card domain certificates.










share|improve this question






















  • What errors are you getting from the CAA wildcard? It kinda looks like it should work.

    – Zoredache
    8 hours ago

















1















Our main web site uses HTTPS certificates issued by comodo. So we have two CAA records like this:



@ CAA 0 issue "comodo.com"
www CAA 0 issue "comodo.com"


And we have multiple sub-domains with HTTPS certificates served by letsencrypt. Example CAA records like:



test1 CAA 0 issue "letsencrypt.org"
test2 CAA 0 issue "letsencrypt.org"
other CAA 0 issue "letsencrypt.org"


At the moment, when we have a new sub-domain, besides an A-record I also have to create a new CAA record. Can't I have a wild-card as sub-domain name, like this?



* CAA 0 issue "letsencrypt.org"


(I've tested this, but it doesn't work)



For the record: I'm not talking about wild-card domain certificates.










share|improve this question






















  • What errors are you getting from the CAA wildcard? It kinda looks like it should work.

    – Zoredache
    8 hours ago













1












1








1


0






Our main web site uses HTTPS certificates issued by comodo. So we have two CAA records like this:



@ CAA 0 issue "comodo.com"
www CAA 0 issue "comodo.com"


And we have multiple sub-domains with HTTPS certificates served by letsencrypt. Example CAA records like:



test1 CAA 0 issue "letsencrypt.org"
test2 CAA 0 issue "letsencrypt.org"
other CAA 0 issue "letsencrypt.org"


At the moment, when we have a new sub-domain, besides an A-record I also have to create a new CAA record. Can't I have a wild-card as sub-domain name, like this?



* CAA 0 issue "letsencrypt.org"


(I've tested this, but it doesn't work)



For the record: I'm not talking about wild-card domain certificates.










share|improve this question














Our main web site uses HTTPS certificates issued by comodo. So we have two CAA records like this:



@ CAA 0 issue "comodo.com"
www CAA 0 issue "comodo.com"


And we have multiple sub-domains with HTTPS certificates served by letsencrypt. Example CAA records like:



test1 CAA 0 issue "letsencrypt.org"
test2 CAA 0 issue "letsencrypt.org"
other CAA 0 issue "letsencrypt.org"


At the moment, when we have a new sub-domain, besides an A-record I also have to create a new CAA record. Can't I have a wild-card as sub-domain name, like this?



* CAA 0 issue "letsencrypt.org"


(I've tested this, but it doesn't work)



For the record: I'm not talking about wild-card domain certificates.







domain-name-system






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 9 hours ago









doekmandoekman

1166 bronze badges




1166 bronze badges












  • What errors are you getting from the CAA wildcard? It kinda looks like it should work.

    – Zoredache
    8 hours ago

















  • What errors are you getting from the CAA wildcard? It kinda looks like it should work.

    – Zoredache
    8 hours ago
















What errors are you getting from the CAA wildcard? It kinda looks like it should work.

– Zoredache
8 hours ago





What errors are you getting from the CAA wildcard? It kinda looks like it should work.

– Zoredache
8 hours ago










2 Answers
2






active

oldest

votes


















2














Technically, it's certainly possible to have a wildcard CAA record (and it does "work").



However, the way wildcards in DNS are defined, this is probably not actually useful for your use-case as a wildcard only applies to names in branches that do not exist.



Presumably you have at least address records (A/AAAA) for all these names that you want to get certificates for, and by having those address records in place the wildcard no longer applies there. So wildcards are almost certainly a no-go for what you want to do.



I think what you will want to do is either add CAA records for all these names or live with a less strict policy on the level above (ie, comodo + letsencrypt in your example) and make use of the built-in policy inheritance in the CAA spec.






share|improve this answer






























    2














    CAA records are inherited by subdomains - you do not need to publish them under subdomains, as pointed out by Håkan Lindqvist. Ignoring subdomains, you can have multiple CAA records at your domain, e.g.



    @ CAA 0 issue "comodo.com"

    @ CAA 0 issue "letsencrypt"


    issuewild is the context you are looking for IF you want to authorise letsencrypt to issue wildcard certs, e.g.



    @ CAA 0 issuewild "comodo.com"

    @ CAA 0 issuewild "letsencrypt"


    Personally I only publish one CAA record at my domain, I do not publish them for subdomains, and I use non-wildcard letsencrypt certificates for subdomains without issue.



    P.S. Wildcard DNS records only resolve for subdomains that DO NOT exist, which is commonly misunderstood.
    This is what Håkan Lindqvist was saying when he mentioned that. Inheritance enables you to use @ CAA
    instead of * CAA.






    share|improve this answer



























      Your Answer








      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "2"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader:
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      ,
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













      draft saved

      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f972720%2fcan-i-create-a-caa-record-for-all-sub-domains%23new-answer', 'question_page');

      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      2














      Technically, it's certainly possible to have a wildcard CAA record (and it does "work").



      However, the way wildcards in DNS are defined, this is probably not actually useful for your use-case as a wildcard only applies to names in branches that do not exist.



      Presumably you have at least address records (A/AAAA) for all these names that you want to get certificates for, and by having those address records in place the wildcard no longer applies there. So wildcards are almost certainly a no-go for what you want to do.



      I think what you will want to do is either add CAA records for all these names or live with a less strict policy on the level above (ie, comodo + letsencrypt in your example) and make use of the built-in policy inheritance in the CAA spec.






      share|improve this answer



























        2














        Technically, it's certainly possible to have a wildcard CAA record (and it does "work").



        However, the way wildcards in DNS are defined, this is probably not actually useful for your use-case as a wildcard only applies to names in branches that do not exist.



        Presumably you have at least address records (A/AAAA) for all these names that you want to get certificates for, and by having those address records in place the wildcard no longer applies there. So wildcards are almost certainly a no-go for what you want to do.



        I think what you will want to do is either add CAA records for all these names or live with a less strict policy on the level above (ie, comodo + letsencrypt in your example) and make use of the built-in policy inheritance in the CAA spec.






        share|improve this answer

























          2












          2








          2







          Technically, it's certainly possible to have a wildcard CAA record (and it does "work").



          However, the way wildcards in DNS are defined, this is probably not actually useful for your use-case as a wildcard only applies to names in branches that do not exist.



          Presumably you have at least address records (A/AAAA) for all these names that you want to get certificates for, and by having those address records in place the wildcard no longer applies there. So wildcards are almost certainly a no-go for what you want to do.



          I think what you will want to do is either add CAA records for all these names or live with a less strict policy on the level above (ie, comodo + letsencrypt in your example) and make use of the built-in policy inheritance in the CAA spec.






          share|improve this answer













          Technically, it's certainly possible to have a wildcard CAA record (and it does "work").



          However, the way wildcards in DNS are defined, this is probably not actually useful for your use-case as a wildcard only applies to names in branches that do not exist.



          Presumably you have at least address records (A/AAAA) for all these names that you want to get certificates for, and by having those address records in place the wildcard no longer applies there. So wildcards are almost certainly a no-go for what you want to do.



          I think what you will want to do is either add CAA records for all these names or live with a less strict policy on the level above (ie, comodo + letsencrypt in your example) and make use of the built-in policy inheritance in the CAA spec.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 7 hours ago









          Håkan LindqvistHåkan Lindqvist

          22.9k4 gold badges37 silver badges62 bronze badges




          22.9k4 gold badges37 silver badges62 bronze badges























              2














              CAA records are inherited by subdomains - you do not need to publish them under subdomains, as pointed out by Håkan Lindqvist. Ignoring subdomains, you can have multiple CAA records at your domain, e.g.



              @ CAA 0 issue "comodo.com"

              @ CAA 0 issue "letsencrypt"


              issuewild is the context you are looking for IF you want to authorise letsencrypt to issue wildcard certs, e.g.



              @ CAA 0 issuewild "comodo.com"

              @ CAA 0 issuewild "letsencrypt"


              Personally I only publish one CAA record at my domain, I do not publish them for subdomains, and I use non-wildcard letsencrypt certificates for subdomains without issue.



              P.S. Wildcard DNS records only resolve for subdomains that DO NOT exist, which is commonly misunderstood.
              This is what Håkan Lindqvist was saying when he mentioned that. Inheritance enables you to use @ CAA
              instead of * CAA.






              share|improve this answer





























                2














                CAA records are inherited by subdomains - you do not need to publish them under subdomains, as pointed out by Håkan Lindqvist. Ignoring subdomains, you can have multiple CAA records at your domain, e.g.



                @ CAA 0 issue "comodo.com"

                @ CAA 0 issue "letsencrypt"


                issuewild is the context you are looking for IF you want to authorise letsencrypt to issue wildcard certs, e.g.



                @ CAA 0 issuewild "comodo.com"

                @ CAA 0 issuewild "letsencrypt"


                Personally I only publish one CAA record at my domain, I do not publish them for subdomains, and I use non-wildcard letsencrypt certificates for subdomains without issue.



                P.S. Wildcard DNS records only resolve for subdomains that DO NOT exist, which is commonly misunderstood.
                This is what Håkan Lindqvist was saying when he mentioned that. Inheritance enables you to use @ CAA
                instead of * CAA.






                share|improve this answer



























                  2












                  2








                  2







                  CAA records are inherited by subdomains - you do not need to publish them under subdomains, as pointed out by Håkan Lindqvist. Ignoring subdomains, you can have multiple CAA records at your domain, e.g.



                  @ CAA 0 issue "comodo.com"

                  @ CAA 0 issue "letsencrypt"


                  issuewild is the context you are looking for IF you want to authorise letsencrypt to issue wildcard certs, e.g.



                  @ CAA 0 issuewild "comodo.com"

                  @ CAA 0 issuewild "letsencrypt"


                  Personally I only publish one CAA record at my domain, I do not publish them for subdomains, and I use non-wildcard letsencrypt certificates for subdomains without issue.



                  P.S. Wildcard DNS records only resolve for subdomains that DO NOT exist, which is commonly misunderstood.
                  This is what Håkan Lindqvist was saying when he mentioned that. Inheritance enables you to use @ CAA
                  instead of * CAA.






                  share|improve this answer















                  CAA records are inherited by subdomains - you do not need to publish them under subdomains, as pointed out by Håkan Lindqvist. Ignoring subdomains, you can have multiple CAA records at your domain, e.g.



                  @ CAA 0 issue "comodo.com"

                  @ CAA 0 issue "letsencrypt"


                  issuewild is the context you are looking for IF you want to authorise letsencrypt to issue wildcard certs, e.g.



                  @ CAA 0 issuewild "comodo.com"

                  @ CAA 0 issuewild "letsencrypt"


                  Personally I only publish one CAA record at my domain, I do not publish them for subdomains, and I use non-wildcard letsencrypt certificates for subdomains without issue.



                  P.S. Wildcard DNS records only resolve for subdomains that DO NOT exist, which is commonly misunderstood.
                  This is what Håkan Lindqvist was saying when he mentioned that. Inheritance enables you to use @ CAA
                  instead of * CAA.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 51 mins ago









                  Esa Jokinen

                  25k2 gold badges36 silver badges62 bronze badges




                  25k2 gold badges36 silver badges62 bronze badges










                  answered 7 hours ago









                  Allan WallaceAllan Wallace

                  713 bronze badges




                  713 bronze badges



























                      draft saved

                      draft discarded
















































                      Thanks for contributing an answer to Server Fault!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid


                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.

                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f972720%2fcan-i-create-a-caa-record-for-all-sub-domains%23new-answer', 'question_page');

                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                      Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                      199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單