I have a LetsEncrypt certificate for my domains however, as a test, I've temporarily modified my CAA records for one domain to try to block LetsEncrypt from issuing certificates for the domain; I'm interested in verifying that certificate issuance will actually be blocked and that I get an e-mail notification to the address I specified in the iodef record.
Temporary CAA configuration for the domain (redacting actual domain name for privacy):
$ host -t caa [REDACTED].com
[REDACTED].com has CAA record 0 iodef "mailto:certfuckery@[REDACTED].com"
[REDACTED].com has CAA record 0 issue "nonexistentdomain.nul"
(Note: there are no CAA records for any subdomains)
With this configuration, LetsEncrypt (or anybody else) should refuse to issue a certificate for the domain and send a notice to the specified e-mail, right?
First thing I tried was a dry-run renewal of my existing certificate, and it went through successfully. (Not sure if the dry-run environment even checks CAA?)
Then I tried a force-renewal of my existing certificate, and it still went through
Then I requested a new certificate for a subdomain of my domain, and it went through as well.
Why are these not being blocked? Do I need to wait some period of time for trust to expire?
I do use Cloudflare for my DNS provider and I'm aware that if a certain feature if turned on, they automatically add several CAA records (including one for LetsEncrypt), however, I've turned that feature off and as far as I can tell the old CAA records are no longer cached anywhere.