Hi there, Ive seem to run into an issue with multiple CAA records for a domain. Im using letsencrypt for the website, but the supplier of servers uses another (payed) one. I have multiple CAA records for this. I have to disable the suppliers CAA records for the letsencrypt to be able to regenerate and visa versa. Anybody else have this issue and know how to solve this?
Create for all CA authorities a CAA record that you or your supplier use for that domain and you should be fine.
Having multiple caa records should be fine and is within spec. have you checked that the domain really returns all caa records when queried?
Then there is something wrong with these records, or the CAA records are not yet widely enough propagated. When did you set them up? It may take up to 24hrs until they are broadly available. Another reason could be the wrong definition of issuewild and issue of CAA records. Also what returns your dns server when you query them for CAA records?
multiple CAA records should work fine.. it works for me with no problems. is one of the certificates supposed to allow wildcards? maybe the record is just being created using 'issue' instead of 'issuewild'? on a sidenote: @till does ispconfig allow the application of the iodef tag in CAA records? is this what the additional options field is for?
Not sure, I have not implemented the CAA records feature. I had a quick look at the code and it might even be that additional here means additional authorities and it creates more caa records in the background. I guess I will have to test it to see what gets added to the zone file if one uses the additional field.
any idea what syntax that would use? there's nothing about the CAA records in the 3.1 manual. AFIAK the iodef tag should be in it's own CAA record.
