Is multiple CAA DNS-records allowed? Yes!

A client was about to renew one of their SSL certificates and the provider requested them to add a CAA DNS-record for the provider. The client already had one CAA DNS-record for another provider in their domain, becuase they where using different providers of SSL certificates for different purposes in their organization.

The CAA DNS-record for the provider in question was added but the provider said they couldn’t issue the certificate as long as there was another CAA DNS-record present. The provider claimed there can only be one CAA DNS-record present in the domain.

The provider might be correct in the sense of that the provider’s system can’t handle multiple CAA records but multiple CAA records is not a violation of the RFC! It is just the provider who can’t handle it and makes it the customers problem.

This might be a simple way of obstructing the client in using the provider’s competitors but the provider is not correct in their statement. According to RFC8659 there are no limitations in the number of CAA DNS-records in one domain. The provider should just look for their CAA DNS-record in the client domain DNS-records and ignore competitors records.