Thanks for all your help. I have resolved the problem.
After days of fruitless discussions with Netregistry support - they didn’t understand the problem at all. They have sent me an email asking what I thought of their support - I haven’t yet calmed down enough to contemplate a reply.
I did some searching and finally got some sensible answers and great help from iiNet hosting. Initially they even gave me the names of DNS hosting software which did support CAA to help in my search. They also did some tests on their system and found that it did respond to CAA checks even though it did not provide a positive response. On that basis I have changed to iiNet DNS Hosting AND have successfully renewed the certificate. On this basis I cannot recommend iiNet highly enough.
Thanks again to all who have helped with this problem.
Hi Peter,
I may be going down the same path as you with switching from NetRegistry to iinet for DNS hosting to resolve this CAA issue. My SSL certificates expire in 9 days. Do you mind my asking how long the transfer took and whether there was any downtime for your website? Was it a painful process getting all the DNS records exactly right or did iinet handle it?
I’ve had quite a few stressful support issues with NR over the years incidentally. I thought I’d escaped them quite a while back but then the took over Planet Domain and I inadvertantly ended up back with them!
I have DNS slaves that don't understand CAA yet because of a too old BIND version and even they can respond after receiving the zone from a more recent BIND. The corresponding dig command doesn't understand CAA either on those servers but can be made to query with
dig $domain type257
So whatever Netregistry is doing, it shouldn't be a problem of their server software. Either their software is really dumb or - more likely - they employ some paranoid "security" appliance that sucks in other ways.
We already had email hosting at iiNet so we already had a partial DNS
system there. After making the entries in the DNS system and committing
them, followed by resetting the name servers on Netregistry I waited about
an hour and all went thru without a problem. I guess from your point of
view you would need to open a DNS hosting account and I cannot tell you how
long that might take but would assume very little time at all.
This whole process took a while complicated by time differences they are in
Perth I’m in Sydney and our server is in Adelaide.
Hi Peter
Thanks for the reply. Thankfully NetRegistry SEEM to have got their act together overnight as I was able to renew the certificates this morning. Some other people in another thread have also found it starting to work again, albeit erractically, and not everyone is convinced the solution will ‘stick’. In the future I think I’ll renew my certificates a few weeks before they expire so it won’t be so urgent to sort it out if I have problems. I will keep the iinet option up my sleeve.
Cheers
Jo