CAA Records are checked while challenge is created


I have added a CAA record to for testing purposes. As per border implementation CAA records are checked y the server while verifying the challenge, but as per draft the CAA records should be checked along with authentication before delivering the challenge.

ERROR: Challenge is invalid! (returned: invalid) (result: {
“type”: “dns-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:caa”,
“detail”: “CAA record for “xxxxxx” prevents issuance”,
“status”: 403
“uri”: “”,

So as per above, ideally the challenge should not be delivered to the client. But the client received the challenge and completed and scrutiny of the same failed on CAA point which should be checked by the server before delivering challenge. Has anyone faced the same issue ??

What’s your domain name?

Hi @prok_in

This true. The CAA record for the domain being authorized and the authorization response are queried by the Let's Encrypt Validation Authority (VA) at the same time when a challenge is POSTed for validation. Note that we also recheck CAA again before issuance if the issuance is relying on authorizations that were obtained more than 8 hours ago.

Can you quote the section and specific draft # you're referring to? There are multiple with lots of change between them :slight_smile: I don't believe there is any requirement that CAA be checked before attempting domain validation, just before issuance.

Can you clarify what you mean by "before delivering the challenge" - do you mean before the VA delivers the challenge verification request to the remote server? E.g. in an HTTP-01 context before the VA makes a HTTP GET to ?

I'm still caught up on what "delivering" means but if I assume that it means "delivering a challenge request from the VA to the remote server" then this is what I would expect. At the time the challenge is POSTed by the client the VA will spin up a Go Routine (like a thread) to check the CAA record and it will spin up a Go Routine to make the challenge verification request. If either fail the authorization is marked invalid. There's no guarantee that if your CAA record blocks issuance that the VA will not make a request to the server at all.

Hope that helps explain,

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.