Checking validation and CAA serially rather than in parallel

Let's Encrypt does two checks when validating your control of a hostname: it checks an ACME challenge (HTTP-01, TLS-ALPN-01, or DNS-01) and it also checks Certification Authority Authorization (CAA) DNS records. Historically, Let's Encrypt checked both of these things in parallel. Today we've turned on a small change in our software so we first check the ACME challenge, and then check CAA only if the ACME challenge succeeds. This allows us to skip some DNS queries in the case that the ACME challenge fails. That in turn reduces the load on our recursive resolvers, and reduces the number of parallel queries to authoritative servers we make. It also simplifies our code, which makes it easier to audit.

This slightly increases the latency of successful validations; about 0.25 seconds in the most common case. Most ACME clients won't notice this additional latency, as validations are done asynchronously while the client polls the order or authorization object to see if the challenge was successful.

This doesn't affect our issuance-time CAA checking. When an order is finalized, if the CAA check during validation was completed more than 7 hours ago, we will still check CAA again before issuance.