The CAA validator will follow the first CNAME, even if multiple CNAMES are returned.
For example, consider the fictional query:
> dig foo.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> foo.com
;; global options: +cmd
;; Got answer:
>>HEADER<< opcode: QUERY, status: NOERROR, id: 51847
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;foo.com IN A
;; ANSWER SECTION:
foo.com. 276 IN CNAME foo2.com.
foo2.com 276 IN CNAME foo3.com.
foo.com. 59 IN A 22.214.171.124
Currently we extract the target of the first CNAME (foo2.com) and make a new CAA query.
What we should do is to order the CNAMEs in a list like this
foo.com => foo2.com => foo3.com
take the tail of that list and perform a CAA query there.
If DNS servers always returns CNAMEs in order we would simply take the last CNAME from the response message and perform the query on that one.