This is just a quick note so I hate myself less later for CNAME’s. I’m going to put what I consider ERRATA following RFC parlance at the top before delving into what I understand.
ERRATA
CAA lookups walk backwards from the root so for how I understand the pointers you can drop in a CAA record at the final A and you’re good to go. It looks like this:
For issuing out a SSL cert for grass.bob.com.
check “.” confirm caa settings
check “com” confirm caa settings
check “bob” confirm caa setttings
check “grass” confirm caa settings
.The weird thing is they support CNAME so if grass.bob.com is pointed to land.bob.com and it has a separate CAA record from bob.com it’ll work. I mean it makes some sense I guess but you’re still offloading all of your trust to whoever controls the cname record.
CNAME stand for canonical name and is a stand-in reference for another node. You see them used all the time like so
land.bob.com in A 127.0.0.1
grass.bob.com IN CNAME land.bob.com
dirt.bob.com IN CNAME land.bob.com
These records basically say both dirt and grass are same names for land and all of them can be found at 127.0.0.1 aka home. Cool, handy for piddly deploys but let’s say bob wants a house on his grass.
land.bob.com in A 127.0.0.1
grass.bob.com IN CNAME land.bob.com
dirt.bob.com IN CNAME land.bob.com
house.grass.bob.com IN CNAME land.bob.com
This is against internet best practices as
grass is a node of bob which is a node of com and a node if identified as a CNAME it is the last answer for the node grass and house should not return. Unfortunately explaining this to both bob and myself most dns companies as as far as I can tell they don’t walk the nodes like that anymore. I’m still getting to the bottom of it and may spin up a test at some point but keep in mind that if you need any additional records at a node it can’t be a cname so this works
land.bob.com IN A 127.0.0.1
grass.bob.com IN A 127.0.0.1
dirt.bob.com IN CNAME land.bob.com
house.grass.bob.com IN CNAME land.bob.com
Yes ALIAS records or other name styles do exist and could be used here but ye be warned of the danger that they aren’t standard.