This true. The CAA record for the domain being authorized and the authorization response are queried by the Let’s Encrypt Validation Authority (VA) at the same time when a challenge is POSTed for validation. Note that we also recheck CAA again before issuance if the issuance is relying on authorizations that were obtained more than 8 hours ago.
Can you quote the section and specific draft # you’re referring to? There are multiple with lots of change between them I don’t believe there is any requirement that CAA be checked before attempting domain validation, just before issuance.
Can you clarify what you mean by “before delivering the challenge” - do you mean before the VA delivers the challenge verification request to the remote server? E.g. in an HTTP-01 context before the VA makes a HTTP GET to
I’m still caught up on what “delivering” means but if I assume that it means “delivering a challenge request from the VA to the remote server” then this is what I would expect. At the time the challenge is POSTed by the client the VA will spin up a Go Routine (like a thread) to check the CAA record and it will spin up a Go Routine to make the challenge verification request. If either fail the authorization is marked invalid. There’s no guarantee that if your CAA record blocks issuance that the VA will not make a request to the server at all.
Hope that helps explain,