View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions How to I change the flag in a CAA record?
Log in to Ask a Question

How to I change the flag in a CAA record?

In the DNS manager I have created a CAA entry for my root domain iriscafe.net, tagged issue and a value of letsencrypt.org with a default TTL. There appears to be nowhere to change the flag from 0 to 128.

dig iriscafe.net CAA gives me,
iriscafe.net. 6320 IN CAA 0 issue "128 letsencrypt.org"

Which I know is wrong. I am waiting for it to update. After update it should be,

iriscafe.net. 6320 IN CAA 0 issue "letsencrypt.org"

But according to YuNoHost it should be,

iriscafe.net. 6320 IN CAA 128 issue "letsencrypt.org"

2 Replies

Our DNS Manager does not support the ability to change CAA record flags. I know this is a bummer, but the good news is you don't need a CAA record for your SSL to work and think it's worth trying to remove that CAA record, just to check if the CAA flag value is the problem.

I checked my domain (I also use Let's Encrypt) and I don't have a CAA record, but my SSL cert works. The Let's Encrypt documentation also says a CAA record is not mandatory.

What's a bit confusing to me, is I see folks saying you should use "0" as the value for the CAA record flag on some forums and "128" in others. When I ran your domain through CAA Record Helper, which is recommended by Let's Encrypt, I ended up with a value of "0".

In any case, I'm going to pass the feedback to our development team that the ability to edit the CAA record flag value is something that might be of value (couldn't resist the pun) for our customers. I cannot promise if or when this feature will be taken up by our team, but we do use this type of feedback to improve our services.

Let us know if this helps out.

The 128 in the flag field is only meaningful if the tag in the record is something new that a CA may not understand. 128 in the flag field of a record means that the CA must only issue a certificate if it understands the tag in that record. The basic tags of issue, issuewild, and iodef are understood by all CAs (as required by the CA/Browser Forum Baseline Requirements), and so 128 in the flag field of records with those tags is redundant.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct