I am using letsencrypt to sign my certificates. Currently letsencrypt is not issuing certificate for SERVFAIL responses, so is there any deadline that letsencrypt will not issue certificate if the domain doesn’t have CAA record??
If CAA is mandatory should i require CAA record to renew my existing certificate.
P.S: Every blog is saying CAA is mandatory but i didn’t see a deadline from letsencrypt.
Thank you in advance.
For you, a subscriber (someone who wants certificates, rather than an Issuer like Let’s Encrypt) it is not mandatory to have CAA records, but it WILL be mandatory to be able to answer DNS queries about those records, in your case your DNS server would just need to say it has no such records.
Does that help?
What’s mandatory in September is CAA checking on the CA side, but as @tialaramex explains, “no CAA records” is a valid reply which will not prevent certificate issuance.
Thanks tialaramex. So you are saying letsencrypt did not give any deadline for CAA record, as they only query the record and our dns server should respond as no such records. But many blogs says the CAA record is mandatory after September but there is no use of making this announcement.
Those blogs are totally mistaken if they phrased it that way. On the other hand, it's really important for DNS server software to be updated so that it doesn't return an error when asked about CAA.
There’s a very nuanced difference between ‘CAA records are required’ and ‘support for CAA records is required.’
The change in September is the latter, not the former. It’s going to be virtually no change compared to how Let’s Encrypt currently operates, as CAA lookups must by responded to properly as of now. The main change, as I understand it, will be that the CAA whitelist will no longer be an option for those with nonconforming DNS providers.
You may find this page helpful: https://letsencrypt.org/docs/caa
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.