Domain with active CAA record in DNS


#1

Since more then a year I publish CAA records (RFC 6844). At least I hope the content is usable for anyone.
But it turns out: no CA care about my records. Till today: LE fail to issue a certificate. I got that message “…CAA check for $mydomain failed …”

I found the LE servers lookup my CAA record every time I fire up a signing request. That’s fine by the way to avoid DNS caching issues. Finally I removed my CAA record and just the next signing request succeeded

So my question: what is the correct format expected in the CAA record for a domain?

  • any static value like
    example.com. CAA 1 issue “letsencrypt.org.”
  • multiple values?
  • a dynamic value contain a response to a challenge?

Maybe you could clarify that?

Additionally: do you know domains publishing CAA records?
I checked many domains without success. So I have no “life” example for a valid CAA record format.

Thanks,
Andreas


#2

For Production: "letsencrypt.org"
For Staging: “happy-hacker-ca.invalid”


Line 657

Line 654 "letsencrypt.org"
https://github.com/letsencrypt/boulder/blob/abb63beeeaa9805cfb14b7b6552260215a8e0737/test/boulder-config.json
Line 161: “happy-hacker-ca.invalid”


#3

Maybe also interesting four you IODEF is not used from the caa record.


#4

is there a bug in boulder or was my CAA record invalid?

I just verified:

domain with these records fail to receive a certificate:
; RFC 6844
example.org. CAA 1 issue "cacert.org"
example.org. CAA 1 issue “letsencrypt.org"
example.org. CAA 1 iodef "mailto:caa@example.org

But success if I removed cacert.org
; RFC 6844
;example.org. CAA 1 issue "cacert.org"
example.org. CAA 1 issue “letsencrypt.org"
example.org. CAA 1 iodef "mailto:caa@example.org

Andreas


#5

@sca_le, it looks like there’s a bug in Boulder. Filed at

We are using a more restrictive interpretation of the Issuer Critical flag than was prescribed by

https://tools.ietf.org/html/rfc6844#section-3

Thanks for pointing this out.