CAA record fail for subdomain (such as 'www') when defined for domain as a whole?

[mejofi]

Version: 1.2.1

It looks like the DNS CAA should be enabled test does not climb the DNS tree, as is specified in the spec;

The search for a CAA RRset climbs the DNS name tree from the specified label up to, but not including, the DNS root "." until a CAA RRset is found.

https://datatracker.ietf.org/doc/html/rfc8659#section-3-3

This means that, if the test is run for a subdomain while CAA records are present for the domain itself, it registers as a FAIL, even though, if I am reading the spec correctly, it should pass?

Example: when testing 'www.ur.nl', it fails like this;

[FAIL] DNS CAA should be enabled (['ur.nl.', '0 issue "digicert.com"', '0 issue "letsencrypt.org"', '0 issue "sectigo.com"'])

[sesh]

Thank you for calling this out.

I've resolved this by filtering the records that are checked to only the CAA records. Testing on www.ul.nl (and www.brntn.me) is working for me:

> python3 -m ready.ready www.ur.nl --check-filter=caa --request-filter=caa
Domain: www.ur.nl, Domain (no path): www.ur.nl, First Level Domain: ur.nl
[ OK ] DNS CAA should be enabled (['0 issue "digicert.com"', '0 issue "letsencrypt.org"', '0 issue "sectigo.com"'])