Unable to add a CAA record when a CNAME already exists

[nullify005]

Hi There,

I'm attempting to make a CAA record for a name which already has a CNAME present & am being rejected by the AWS API.

Specifically I have:

www.thing.domain 60 IN CNAME something.else.whatever

And I want to add a CAA to the same place:

www.thing.domain 1 IN CAA 0 issue "some.fake.issuer"

The error I'm getting is:

ClientError: An error occurred (InvalidChangeBatch) when calling the ChangeResourceRecordSets operation: RRSet of type CAA with DNS name www.thing.domain. is not permitted because a conflicting RRSet of type  CNAME with the same DNS name already exists in zone thing.domain.

I get why you might encounter this if you're trying to put an A on the same spot, but not a CAA which I would have thought would be allowed since it's an entirely different type.

I want to have different CAA records for the APEX and some entries within the domain, such as www etc. since the www points to a hosting provider (for instance) & they use a different CA for their SSL certificates.

Is this by design or a bug, or should I be attempting to do something different?

I don't think I can make www a full on delegated domain because then I'll have issues with directing the APEX off to the hosting provider as an ALIAS record since it's not an AWS resource.

Help?

[dstufft]

This is really a question for the service team itself, which you can ask them at https://forums.aws.amazon.com/forum.jspa?forumID=87, however I'm pretty sure this is because the RFC for DNS disallows any other record type to exist at the same level as a CNAME.