AnsweredAssumed Answered

DNS CAA not being tested correctly on SSL Labs

Question asked by Sage Gwatkin on Jan 1, 2020
Latest reply on Jan 7, 2020 by Nauman Akhtar Shah

Hi there,

 

I have DNS CAA configured at the subdomain level, and it tests correctly when I use the DNS Spy: CAA record validator.

 

However, when I test through SSL Server Test (Powered by Qualys SSL Labs) it shows:

DNS CAANo (more info)

 

My understanding is that CAA can be configured at subdomain or domain level, subdomain taking precedence over domain where both are configured, so my configuration should produce a 'Yes' on SSL Labs.

 

I can only assume the CAA checker on SSL Labs only checks at the domain level, not the subdomain? For both tests I use the same URL.

 

Thoughts?

 

Sage

Outcomes