SSL Certificate Renewals Fail for Subdomains of Tracker Domains

This issue occurs under the following conditions:

1) Tracker domain is configured in Account Engagement (e.g., go.company.com)

2) The customer creates a subdomain of that tracker domain (e.g., marketing.go.company.com) for purposes outside of Account Engagement (i.e., the subdomain is not configured in Account Engagement)

3) The customer uses their own Certificate Authority to attempt to obtain or renew an SSL certificate for that subdomain.

Account Engagement publishes CAA (Certificate Authority Authorization) records for tracker domains to manage SSL/TLS certificate issuance, and these CAA records apply to a domain and all its subdomains. When a customer creates their own subdomain under a tracker domain that is configured in Account Engagement (e.g., subdomain.go.customercompany.com where go.customercompany.com is the tracker domain), the Account Engagement CAA record restricts which certificate authorities can issue certificates for that subdomain.

Impact:

• Customers cannot obtain SSL/TLS certificates from their preferred CA for subdomains created under tracker domains

• Existing certificates for these subdomains may fail to renew 

• Customers cannot override the CAA record for their subdomain due to DNS limitations (for example, CAA records cannot be added to a CNAME)