Thanks for the excellent and actionable response, @mnordhoff!
I’m a little fuzzy on the details of the problem here, so I’d like to voice some assumptions based on the thread of conversation here and here as a sanity check. It sounds like:
-
boulderuses an internal instance of theunboundDNS server in production -
boulder's DNS client is configured with a default message buffer capacity of 512 bytes - CAA record resolution for xyleme.com exceeds the DNS client’s message capacity (~626 bytes)
-
boulderreports a CAA record lookup server failure
To add a little context to our use-case, we’re an organization requesting certs on behalf of our customers. While we do have authority to serve SSL certs on specific subdomains for each customer, in most cases, we don’t have authority to modify their DNS records which are usually located on a parent domain.
Just looking for a little clarity so we can help educate our customers about potential DNS configuration improvements until the issue @jsha kindly linked is addressed. Thanks!