CAA-record inheritance

This article was written to give more detailed information about the inheritance of the Certificate Authority Authorization DNS-record. For more in-depth information, have a look at Let's Encrypt's own CAA-page.


For this article, let's assume we have 2 domain names:


When you set a CAA-record for, it will also automatically count for any subdomain. That means that if has a CAA-record set, it will also be used for unless overridden.

You can override this behaviour by setting a CAA-record for instead.
For example, if we have a CAA on that bans Let's Encrypt, and one on that allows it, Let's Encrypt will allow issuance for

CNAMEs between and

A Canonical Name or CNAME-record, inherits all the records set for the target. This means, that if we CNAME to, and has a CAA-record set, will also inherit it.