Since more then a year I publish CAA records (RFC 6844). At least I hope the content is usable for anyone.
But it turns out: no CA care about my records. Till today: LE fail to issue a certificate. I got that message “…CAA check for $mydomain failed …”
I found the LE servers lookup my CAA record every time I fire up a signing request. That’s fine by the way to avoid DNS caching issues. Finally I removed my CAA record and just the next signing request succeeded
So my question: what is the correct format expected in the CAA record for a domain?
- any static value like
example.com. CAA 1 issue “letsencrypt.org.”
- multiple values?
- a dynamic value contain a response to a challenge?
Maybe you could clarify that?
Additionally: do you know domains publishing CAA records?
I checked many domains without success. So I have no “life” example for a valid CAA record format.