From dade82706a603672f96f47281288e10a22f72f4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Ba=C4=8Do?= <matejbaco2000@gmail.com>
Date: Tue, 5 Aug 2025 13:38:56 +0200
Subject: [PATCH] Fix caa records inheritance

---
 src/Appwrite/Network/Validator/DNS.php | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/Appwrite/Network/Validator/DNS.php b/src/Appwrite/Network/Validator/DNS.php
index 7549d18f54..479a773609 100644
--- a/src/Appwrite/Network/Validator/DNS.php
+++ b/src/Appwrite/Network/Validator/DNS.php
@@ -65,9 +65,18 @@ class DNS extends Validator
         }
 
         if (empty($query)) {
-            // No CAA records means anyone can issue certificate
+            // CAA records inherit from parent (custom CAA behaviour)
             if ($this->type === self::RECORD_CAA) {
-                return true;
+                if (\substr_count($value, ".") === 1) {
+                    return true; // No CAA on apex domain means anyone can issue certificate
+                }
+
+                // Recursive validation by parent domain
+                $parts = \explode('.', $value);
+                \array_shift($parts);
+                $parentDomain = \implode('.', $parts);
+                $validator = new DNS(System::getEnv('_APP_DOMAIN_TARGET_CAA', ''), DNS::RECORD_CAA);
+                return $validator->isValid($parentDomain);
             }
 
             return false;