Due to the way CNAME records work, any subdomain with a CNAME record of cname.vercel-dns.com will automatically use the predefined CAA records from this record.
Vercel cannot change the CAA records on cname.vercel-dns.com and add your custom CAA records. Instead you will need to follow the instructions below.
How can I change the CAA records when using the CNAME record?
The CAA records set on our cname.vercel-dns.com record are configured to allow our platform to issue Vercel certificates with as little changes as possible for all custom domains.
Non-Enterprise customers cannot upload SSL certificates to the Vercel platform, so generating SSL certificates are not usually required. You should review the intended purpose of this certificate before trying to change any CAA records.
If you're trying to issue SSL certificates for another platform, then you can remove the Vercel CNAME record and point the domain to your intended hosting platform. For example, if you're trying to create an Amazon SSL certificate for an AWS endpoint, you should first change your CNAME record to point to Amazon, this way it won't use our CAA records.
If you're using the certificate for multiple hosting providers, a proxy solution or have a UCC/SAN certificate with one of the SAN's using our CNAME, then you will need to remove the cname.vercel-dns.com record and replace it with an A record of 76.76.21.21. Once created, you can then either set your CAA record at this level or leave blank and set at apex level. See Can I use my domain on Vercel with A records? for more information.
NOTE: If you specify CAA records and use Vercel, you must include 0 issue "letsencrypt.org" to allow our platform to also issue certificates.