I am having an issue implementing CAA records. The domains in question lycaonsec.netlify.app. i want to limit the CAA to Lets encrypt however if i do this then netlify is unable to renew SSL certificates.
If I remove the record it renews the certificate.
| Name | Type | Value |
|---|---|---|
| lycaonsec.com. | CAA | 0 issue “;” |
| 0 issuewild “letsencrypt.org” | ||
| 0 iodef “mailto:support@lycaonsec.com” |
This is the record am i missing something does Netlify need to be added?
Hey @lycaon-security
I cannot comment on the CAA record, however I can see lycaonsec.com isn’t configured per the Configure external DNS for a custom domain documentation. The secord record here (99.83.231.61) will cause issues here. Only the A record pointing to 75.2.60.5 should exist.
% dig lycaonsec.com
lycaonsec.com. 3600 IN A 75.2.60.5
lycaonsec.com. 3600 IN A 99.83.231.61
Having a non-Netlify IP address like this will cause issues with provision/renewal of SSL certificates.
Hi @lycaon-security,
For CAA, your iodef property is correct.
However, issuewild will be ignored when processing a TLS certificate request which is not a wildcard domain. In that case, it will fall to your issue property which prohibit any CA from issuing TLS cert for your domain.
So, Let’s Encrypt will be able to issue a certificate for *.lycaonsec.com or *.subdomain.lycaonsec.com but nothing else. It won’t be able to issue a cert for lycaonsec.com or subdomain.lycaonsec.com.
I personally have been running my domain with only 0 issue "letsencrypt.org" and the iodef property and it would work just fine.
@coelmay Thanks for this
Im a little confused by your comment as the subdomain www record is configured as a CNAME per the document you liked to that is correct
The Apex domain is a ANAME but will return as A but this is also correct if I’m missing something please let me know
lycaonsec is the primary domain not www
My apologies @lycaon-security, your setup is correct—my information was not 
Going back to your original post, if you add the CAA record, SSL certificate generation stops working. I suspect @luke might best know what the issue here.
Hey @lycaon-security,
I’m not sure what the status of this thread is. You appear to have 0 issue "letsencrypt.org" as your CAA record and you also seem to have got the SSL. Is this resolved or do you need something specific?
