CAA fail for domain with no CAA record and no SERVFAIL


Hi team, we are seeing the following error returned:

403 urn:acme:error:caa: Error creating new cert :: Rechecking CAA: While processing CAA for CAA record for prevents issuance

However the domain does not appear to have a CAA record, and we don’t get a SERVFAIL when doing a query, so it’s not really clear how we can fix this. Any tips from the Boulder logs as to what might be going wrong?



unboundtest also returns no problems:

Query results for CAA

;; opcode: QUERY, status: NOERROR, id: 49502
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0



;; AUTHORITY SECTION:	0	IN	SOA 1 7200 900 1209600 86400


A CAA record exists for

0 issuewild ""
0 issue ";"
0 issuewild ""
0 iodef ""

CAA records are “inherited” by subdomains if they have no CAA record of their own. If you have sufficient control over the subdomain to add your own CAA record on it, you can get around this, but otherwise, you (or whoever controls the domain) would need to change or remove the CAA record on


As @pfg points out (thanks!) the problem is with the parent domain of "". A common point of confusion with UnboundTest is that it doesn’t implement the CAA checking algorithm that Boulder uses, it only recreates single queries. This makes sense since it’s a vanilla Unbound instance and Unbound wouldn’t have any need to implement the CAA checking algorithm defined for CAs since it isn’t a CA :slight_smile: To match Boulder’s CAA enforcement you need to manually drive UnboundTest to do a series of queries the same way that Boulder does. E.g. one for and then one for


I think we still have some work to do with this error message. I would have expected it to say:

“Error creating new cert :: Rechecking CAA: While processing CAA for CAA record for prevents issuance”

I opened for this to try and iterate. Apologies, I thought we had fixed this better in


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.