Hi @gtartari,
I don’t know how are your authoritative name servers configured but it fails to answer for CAA records requests over UDP from some countries (it works fine for every country I tried if I request CAA record over TCP or any other record like A over UDP or TCP).
From SPAIN (FAIL):
$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short
; <<>> DiG 9.9.7 <<>> -4 @192.106.1.9 cda.zignago.com caa +notcp +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
From US (OK):
$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short
0 issue "letsencrypt.org"
From UK (FAIL):
$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short
; <<>> DiG 9.11.1 <<>> -4 @192.106.1.9 cda.zignago.com caa +notcp +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
From FRANCE Location 1 (FAIL):
$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short
; <<>> DiG 9.11.1 <<>> -4 @192.106.1.9 cda.zignago.com caa +notcp +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
From FRANCE Location 2 (OK):
$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short
0 issue "letsencrypt.org"
From GERMANY (OK):
$ dig -4 @192.106.1.9 cda.zignago.com caa +notcp +short
0 issue "letsencrypt.org"
Using Google DNS public resolver (FAIL):
$ dig -4 @8.8.8.8 cda.zignago.com caa +notcp
; <<>> DiG 9.11.1 <<>> -4 @8.8.8.8 cda.zignago.com caa +notcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34055
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;cda.zignago.com. IN CAA
;; Query time: 2016 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 15 11:34:50 CEST 2018
;; MSG SIZE rcvd: 44
Using Cloudflare DNS public resolver (OK):
$ dig -4 @1.1.1.1 cda.zignago.com caa +notcp +short
0 issue "letsencrypt.org"
Using QUAD DNS public resolver (FAIL):
$ dig -4 @9.9.9.9 cda.zignago.com caa +notcp
; <<>> DiG 9.11.1 <<>> -4 @9.9.9.9 cda.zignago.com caa +notcp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2270
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cda.zignago.com. IN CAA
;; Query time: 3023 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Tue May 15 11:35:43 CEST 2018
;; MSG SIZE rcvd: 44
If you check it using dnsviz you get this problem:
cda.zignago.com/CAA: No response was received from the server over UDP (tried 8 times). (192.106.1.1, 192.106.1.9, UDP_0_NOEDNS)
I don’t know what is going on but there is something strange with your Authoritative DNS Servers.
Good luck,
sahsanu