UPDATE: Since we actually need the cert for xxx.mydomain.com, I have added some xxx.mydomain.com NS records pointing to google cloud DNS! I can now get:
$ dig xxx.mydomain.com CAA
xxx.mydomain.com. 300 IN CAA 0 issue "letsencrypt.org"
xxx.mydomain.com. 300 IN CAA 0 issuewild "\;"
However, this does not work :
Failed authorization procedure. xxx.mydomain.com (http-01):
urn:acme:error:connection :: The server could not connect to the client
to verify the domain :: DNS problem: query timed out looking up CAA for
- The following errors were reported by the server:
Detail: DNS problem: query timed out looking up CAA for
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I was able to add the NS records for xxx, but not for the whole domain
Why does boulder query both the subdomain and the domain? Is this a bug?
Indeed there is no need to create a CAA record, if you don't care about who can issue certs for your domain you can avoid to create a CAA record, the only thing Let's Encrypt needs is a DNS answer like NXDOMAIN or NOERROR. An answer of SERVFAIL or a timeout is a fail to issue your certificate.
As Let's Encrypt doesn't issue wildcard certs there is no need to create the CAA record with option issuewild.
I didn't read completely the RFC6844 nor the CABFORUM's Baseline Requirements Draft to know whether it is allowed to do want you are trying so the best answer should be provided by one of the boulder developers. @jsha, could you please be so kind to take a look into this issue?.
Edit: I forgot to comment this.
Maybe your ISP wants to know this: from 2017-Sep-8 the CAs MUST check the CAA records before they can issue a cert for the domain.
220.127.116.11. CAA Records
This section is effective as of 8 September 2017.
As part of the issuance process, the CA MUST check for a CAA record for each dNSName in the subjectAltName extension of the certificate to be issued, according to the procedure in RFC 6844, following the processing instructions set down in RFC 6844 for any records found.
It's true that Let's Encrypt only needs an NXDOMAIN or NOERROR to issue, but if that's the case, you need to return NXDOMAIN or NOERROR from every FQDN that gets looked up: www.example.com, example.com, and com. In @nonZero's case, where you want to "hide" a broken NS at example.com, you do indeed need to create a CAA record at www.example.com. That will tell CA's that they can stop climbing the DNS tree when they see it.