Hmmmm.
Namebright's DNS servers do an assortment of invalid and incorrect things. Sometimes that includes returning NOTIMP
.
For example: http://dnsviz.net/d/sixclothing.com/WYn9Vg/dnssec/
There are two different matters: What Namebright's authoritative nameservers return, and what your (or Let's Encrypt's) recursive nameserver returns.
I don't think Namebright ever returns SERVFAIL
.
When a recursive nameserver encounters a variety of error conditions (invalid DNSSEC, authoritative nameserver is down, NOTIMP
, REFUSED
, &c), the recursive nameserver will return SERVFAIL
to the client.
When the Let's Encrypt validation server, or your local resolver, returns SERVFAIL
to you, it's usually not because that's literally what the authoritative server said.
Unpersuasive. There's nothing, as far as I know, difficult about "parsing" an unrecognized record type. It's just a number. A reasonable nameserver will handle it properly, usually with a valid "no such record" response.
On top of that, there is a widely supported standard for making nameservers not only interpret but serve responses to record types that were not explicitly supported and may not even have existed when the server was written! The SSLMate CAA generator demonstrates how to use it, for example.
Also, the "new" spec was published in 2013. January 2013. The first draft was published in 2010, though it was quite different at that time, and the numbers were probably assigned in 2012-2013.
I won't bet my hat on this, but you could quite possibly deploy a BIND beta from literally 15 years ago -- a decade before the CAA RFC was published -- and use CAA via RFC 3597. (I honestly have no idea when BIND first implemented it, but 15 years ago is possible.)
Also also, that doesn't explain Namebright's numerous other protocol violations.
Also also also, "probably 95% of the public DNS servers on the internet" sounds... well.
Edit: I haven't tried to compile it, but BIND 9.2.1 (April 2002) includes RFC 3597's predecessor draft in its documentation, and the changelog seems to suggest that draft -00 was implemented in 9.1.0b1 (December 2000 probably). If anyone's feeling adventurous...