The problem isn't with Dyn or (directly) with your domain, it's with TP-Link.
The error message is misleading: it happens when you have CAA
records explicitly blocking Let's Encrypt, and it can happen when the DNS response is invalid.
When Let's Encrypt's does a DNS query for germany.vertesi.com
CAA
, the DNS resolver follows the CNAME
to verthome.tplinkdns.com
and... I'm not sure what happens.
tplinkdns.com
has a lot of issues. I'm not even sure what most of them are.
http://dnsviz.net/d/tplinkdns.com/W8w6vA/dnssec/
$ dig verthome.tplinkdns.com caa
;; Got bad packet: FORMERR
67 bytes
88 dc 81 80 00 01 00 01 00 00 00 01 08 76 65 72 .............ver
74 68 6f 6d 65 09 74 70 6c 69 6e 6b 64 6e 73 03 thome.tplinkdns.
63 6f 6d 00 01 01 00 01 c0 0c 01 01 00 01 00 00 com.............
02 6c 00 04 5b 41 76 ba 00 00 29 10 00 00 00 00 .l..[Av...).....
00 00 00 ...
One of them is responding with something invalid to CAA
queries.
Another is that they don't support random capitalization, which is not invalid, but which may cause Let's Encrypt's resolvers to fail.
Not really. CNAME
s are okay. You were just using a CNAME
to a DNS service that doesn't work well.
Edit:
To be explicit, it's fine not to have CAA
records. A valid negative response is a-ok.
Also, I forgot to mention it, but there was one previous thread reporting issues with that domain.