[cabfpub] Continuing the discussion on CAA

Gervase Markham gerv at mozilla.org
Tue Oct 18 20:44:28 UTC 2016


On 18/10/16 11:26, Jacob Hoffman-Andrews wrote:
> DNS fail open or closed: Let's Encrypt currently treats a SERVFAIL when
> looking up CAA as "no CAA record present, okay to issue." However, we
> are working to change this, so a CAA SERVFAIL will prevent issuance. In
> our investigations we've found that 0.1% of domains with a current Let's
> Encrypt certificate return SERVFAIL for CAA.

Does that tend to be a permanent or a temporary condition?

Gerv



More information about the Public mailing list