If my domain's CAA authorizes Let's Encrypt, how do I proceed to authorize GlobalSign on a subdomain? Thanks
Hi ThOm, My provider is virtualname.es. Do I have to configure something in his control panel? I can't do it in ISPConfig 3? Currently I created two CAA for the domain in ISPConfig 3: $ dig caa domain.org domain.org. 3600 IN CAA 0 issue "globalsign.com" domain.org. 3600 IN CAA 0 issue "letsencrypt.org" But the subdomain doesn't respond anything: $ dig caa subdomain.domain.org (empty answer)
Sorry, I've had the DNS zones of many domains configured in ISPConfig 3 (now with CAA Let's Encrypt) for many years. I also have multiple domains with GlobalSign SSL (CAA) configured in ISPConfig 3, but these domains do not use Let's Encrypt. You mean if I need to authorize two SSL providers with CAA I can't do it with ISPConfig? That in these cases I have to configure the DNS zone in the control panel of my provider. Correct? Thanks
You surely can authorize multiple SSL providers with CAA through ISPConfig, but not if the domain has different nameservers than the nameserver(s) you have configured in ISPConfig. So if a different provider hosts those zones, it does not make any sense to have them in your ISPConfig setup as changes there don't do anything to the queried nameservers.
Thank you, Th0m. I think you've hit the key. ;-) For some reason I thought that this domain was registered by us at VirtualName.es, but I have just verified that it is registered by third parties at Acens.net (it is the domain of a public administration). So I understand that the CAAs have to be configured in the provider where the domain is actually located. Correct? Thanks!
The caa has to be configured in the dns server that is authoritative for the domain. Look up the NS records of that domain, the DNS server where the NS records point to must contain the DNS records for this zone and CAA records are just normal DNS records, so they have to be on that authoritative name server(s).
Sorry, I just accessed the control panel of the domain registrar (acens.com) and there is no DNS zone for the domain, only the names server (ns1.myserver.org and ns2.myserver.org) of the server managed by ISPConfig 3 . That being the case, I should be able to configure the two CAAs with ISPConfig 3, right?
Yes it should if the records are properly set First of check who is the authrative NS for the zone/domain with: Code: dig domain.tld NS If that is your ISPConfig NS Server then go ahead and check with: Code: dig domain.tld caa If the NS server is not your own and you want to use your own, you need to change the GLUE record at the provider.
Thanks, pyte. "dig domain.tld NS" displays our nameservers (ns1.server.tld and ns2.server.tld). "dig domain.tld caa" displays our CAAs for the domain (Let's Encrypt and GlobalSign). But "dig subdomain.domain.tld caa" displays nothing (no answer). At the domain provider there is no DNS zone or option to create glue records, just nameservers. Given the current situation, I understand that glue records are necessary. Correct? Thanks!
domain.tld: yes (two: Let's Encrypt and GlobalSign) subdomain.domain.tld: no. How can I add a CAA to it? The CAA creation form won't let me in the domain.tld zone in ISPConfig 3. Would I have to create a DNS zone for subdomain.domain.tld or some other way? Thanks
You go into the zone for the domain in ISPConfig click on the green CAA Button on top and add the entry. Specify the "subdomain" in the field "additional Hostsnames" as described and you should be good to go
Done: now, all is OK: $ dig subdomain.domain.tld caa subdomain.domain.tld. 3276 IN CAA 0 issue "globalsign.com" Thank you very much, pyte! Notes: 1.- I can't modify "Additional Hostnames" field: I needed to delete the CAA record and create it again. 2.- Instructions in that field generate confusion ("Sepearated list with commas - empty for all hostnames").
