The CAA record is a type of DNS record used to provide additional confirmation for the Certification Authority (CA) when validating an SSL certificate. This record allows you to specify which certification authorities are authorized to deliver SSL certificates for your domain. See the RFC here.

Any CAA records added to a parent zone (e.g., financial.com) will be inherited by subdomains (e.g., lemonade.financial.com). Adding a record to the parent, can quickly break things for its children.

Cloudflare uses specific issuers to issue its auto-renewing certificates. If you add CAA records that do not include Cloudflare's issuers, you will prevent Cloudflare from issuing SSL. The result of this, is SSL expiry (downtime) that LemonadeLXP is powerless to resolve.

Please see this article (maintained by Cloudflare) for the most recent list of SSL issuers.

When using Cloudflare with CAA (Certificate Authority Authorization) records configured on your domain, it's crucial to understand that you are responsible for maintaining these records. CAA records restrict which Certificate Authorities can issue certificates for your domain, so if Cloudflare switches to a different CA and your CAA records don't permit that new issuer, certificate renewal will fail, potentially causing downtime when your current certificate expires. To prevent this, you must proactively update your DNS zone file to include any new certificate authorities before the reissuance occurs. Since Cloudflare may change issuers without individual customer notification, we strongly recommend implementing your own monitoring solution to track your domain's certificate issuer and expiration dates, allowing you to identify changes early and update your CAA records accordingly to maintain uninterrupted service.