I suspect this is working as intended, but I’d like to verify.
We attempted to have a certificate issued for a domain that had no blocking CAA record, had DNSSEC enabled, and the authoritative NS did not provide a non-existence proof for the CAA type (making the lack of CAA record invalid).
Is this a necessary security feature, or a potential oversight? It seems to me DV with DNSSEC would necessarily require crypto proofs for the A/AAAA/TXT records which are used to prove ownership, not the CAA which authorizes a CA. I’m not intimately familiar with the RFC though, so I’m not sure. It might be nice to help early adopters of DNSSEC to drop the non-existence proof requirement for CAA records, but I defer to the smarter people in the room.