To configure the Vanta Trust Center (a publicly available page listing a client's Certifications and Controls, usually hosted at trust.client.tld), Vanta requires customers to compromise on their DNS CAA configuration.

As their screenshots show, they ask you setup a CNAME from e.g. trust.customer.com to their abc123.cname.vantatrust.com.

However, if you are using CAA [1] on your root domain (to limit which Certificate Authorities are allowed to issue certificates for your domain), they _require_ you to add 4 (FOUR) new CAA records to your root domain. (shown at the bottom of the linked page)

The correct solution would be to simply publish CAA records at the destination that the CNAME is pointing to (abc123.cname.vantatrust.com)

I've brought this up with their support multiple times; but they're refusing to even acknowledge that this is a problem. They're claiming I am the first customer to ever bring this up; and that I should just add the records on my root domain - completely missing that fact that thereby I'm basically undermining what CAA is for.

I would understand it, if this was some random tool, but this specifically is a GRC Tool.

If you are another Vanta customer or have any other idea what I can do to approach this, please let me know. I want to use their tool. It's a good system and helping us out - I'm just refusing to actively downgrade our Security - for our SECURITY TOOL!

1) https://en.wikipedia.org/wiki/DNS_Certification_Authority_Au...