This article was written to give more detailed information about the inheritance of the Certificate Authority Authorization DNS-record. For more in-depth information, have a look at Let's Encrypt's own CAA-page.
For this article, let's assume we have 2 domain names:
When you set a CAA-record for
example.com, it will also automatically count for any subdomain.
That means that if
example.com has a CAA-record set, it will also be used for
www.example.com unless overridden.
You can override this behaviour by setting a CAA-record for
For example, if we have a CAA on
example.com that bans Let's Encrypt, and one on
www.example.com that allows it, Let's Encrypt will allow issuance for
A Canonical Name or CNAME-record, inherits all the records set for the target.
This means, that if we CNAME
www.example.com has a CAA-record set,
www.example.net will also inherit it.