CAA-record inheritance

This article was written to give more detailed information about the inheritance of the Certificate Authority Authorization DNS-record. For more in-depth information, have a look at Let's Encrypt's own CAA-page.

Intro

For this article, let's assume we have 2 domain names:

Within example.com

When you set a CAA-record for example.com, it will also automatically count for any subdomain. That means that if example.com has a CAA-record set, it will also be used for www.example.com unless overridden.

You can override this behaviour by setting a CAA-record for www.example.com instead.
For example, if we have a CAA on example.com that bans Let's Encrypt, and one on www.example.com that allows it, Let's Encrypt will allow issuance for www.example.com.

CNAMEs between example.com and example.net

A Canonical Name or CNAME-record, inherits all the records set for the target. This means, that if we CNAME www.example.net to www.example.com, and www.example.com has a CAA-record set, www.example.net will also inherit it.