From 7ef0705984dd1d24530533b5ac374e2e504654cb Mon Sep 17 00:00:00 2001
From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com>
Date: Thu, 23 Oct 2025 07:05:39 +0200
Subject: [PATCH] [PR #10956/4c7be8f2 backport][stable-11] cloudflare_dns:
 rollback validation for CAA records (#10957)

cloudflare_dns: rollback validation for CAA records (#10956)

* cloudflare_dns: rollback validation for CAA records

* add changelog frag

(cherry picked from commit 4c7be8f268d72cad7f36e68b1f1971b9b06c41b9)

Co-authored-by: Alexei Znamensky <103110+russoz@users.noreply.github.com>
---
 changelogs/fragments/10934-cloudflare-dns-caa-bug.yml | 2 ++
 plugins/modules/cloudflare_dns.py                     | 9 ++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/10934-cloudflare-dns-caa-bug.yml

diff --git a/changelogs/fragments/10934-cloudflare-dns-caa-bug.yml b/changelogs/fragments/10934-cloudflare-dns-caa-bug.yml
new file mode 100644
index 0000000000..e40acc30f4
--- /dev/null
+++ b/changelogs/fragments/10934-cloudflare-dns-caa-bug.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - cloudflare_dns - roll back changes to CAA record validation (https://github.com/ansible-collections/community.general/issues/10934, https://github.com/ansible-collections/community.general/pull/10956).
diff --git a/plugins/modules/cloudflare_dns.py b/plugins/modules/cloudflare_dns.py
index c8c5d92be2..84088f593d 100644
--- a/plugins/modules/cloudflare_dns.py
+++ b/plugins/modules/cloudflare_dns.py
@@ -931,7 +931,7 @@ def main():
             ('state', 'absent', ['record']),
             ('type', 'SRV', ['proto', 'service']),
             ('type', 'TLSA', ['proto', 'port']),
-            ('type', 'CAA', ['flag', 'tag', 'value']),
+            ('type', 'CAA', ['flag', 'tag']),
         ],
         required_together=[
             ('account_api_key', 'account_email'),
@@ -963,8 +963,11 @@ def main():
             module.fail_json(msg="For TLSA records the params cert_usage, selector, hash_type and value all need to be defined, or not at all.")
 
     if module.params['type'] == 'CAA':
-        if not module.params['value'] == '':
-            module.fail_json(msg="For CAA records the params flag, tag and value all need to be defined.")
+        if not ((module.params['flag'] is not None and module.params['tag'] is not None
+                 and not (module.params['value'] is None or module.params['value'] == ''))
+                or (module.params['flag'] is None and module.params['tag'] is None
+                    and (module.params['value'] is None or module.params['value'] == ''))):
+            module.fail_json(msg="For CAA records the params flag, tag and value all need to be defined, or not at all.")
 
     if module.params['type'] == 'DS':
         if not ((module.params['key_tag'] is not None and module.params['algorithm'] is not None and module.params['hash_type'] is not None