Has LE changed CAA query recently/gotten more strict?

We are attempting to renew multiple certs but are seeing the same failures on all of them.
It appears that LE is not able to confirm CAA on our DNS "query timed out looking up CAA"
We are not aware of any changes to our DNS which was successful previously
Was wondering if there were any changes on LE's side to the CAA validation process? (this will help us know what to correct)

My domain is: marines.mil

I ran this command: Let's Debug

It produced this output: This test has been running for a while. This usually indicates that one or more of the domain nameservers are either inaccessible or offline

while a dig provide:

$ dig marines.mil
;; AUTHORITY SECTION:
marines.mil. 179 IN SOA usmcdns1.usmc.mil. security.mcnosc.usmc.mil. 2021081400 3600 600 604800 3600

1 Like

It looks like your nameservers might not be accepting queries over TCP, only UDP. This usually means that some queries will work, but not all. This tool can be helpful: marines.mil | DNSViz

3 Likes

Another helpful tool is https://unboundtest.com, which is configured to approximate the LetsEncrypt systems.

You'll see it takes quite a long time to run, and then shows a timeout on all queries against your nameservers.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.