Domain with active CAA record in DNS

Since more then a year I publish CAA records (RFC 6844). At least I hope the content is usable for anyone.
But it turns out: no CA care about my records. Till today: LE fail to issue a certificate. I got that message “…CAA check for $mydomain failed …”

I found the LE servers lookup my CAA record every time I fire up a signing request. That’s fine by the way to avoid DNS caching issues. Finally I removed my CAA record and just the next signing request succeeded

So my question: what is the correct format expected in the CAA record for a domain?

  • any static value like CAA 1 issue “”
  • multiple values?
  • a dynamic value contain a response to a challenge?

Maybe you could clarify that?

Additionally: do you know domains publishing CAA records?
I checked many domains without success. So I have no “life” example for a valid CAA record format.


1 Like

For Production: ""
For Staging: “happy-hacker-ca.invalid”

Line 657

Line 654 ""
Line 161: “happy-hacker-ca.invalid”

Maybe also interesting four you IODEF is not used from the caa record.

is there a bug in boulder or was my CAA record invalid?

I just verified:

domain with these records fail to receive a certificate:
; RFC 6844 CAA 1 issue "" CAA 1 issue “" CAA 1 iodef "

But success if I removed
; RFC 6844
; CAA 1 issue "" CAA 1 issue “" CAA 1 iodef "


@sca_le, it looks like there’s a bug in Boulder. Filed at

We are using a more restrictive interpretation of the Issuer Critical flag than was prescribed by

Thanks for pointing this out.