[cabfpub] Continuing the discussion on CAA

Jacob Hoffman-Andrews jsha at letsencrypt.org
Tue Oct 18 21:46:47 UTC 2016

On Tue, Oct 18, 2016 at 1:44 PM, Gervase Markham <gerv at mozilla.org> wrote:

> > our investigations we've found that 0.1% of domains with a current Let's
> > Encrypt certificate return SERVFAIL for CAA.
> Does that tend to be a permanent or a temporary condition?

In this particular investigation, I ran a script that first attempted to
resolve A records for a hostname three times over the space of a couple of
days. For any hostname that had at least one successful response for an A
record, I then attempted CAA lookups three times over the space of a couple
of days, including lookups for parent domains. Any hostname that failed all
CAA lookups went in the "failed" bucket. So, on a timescale of days, they
are mostly permanent failures.

We've found one specific case of a Kemp load balancer that returns SERVFAIL
to all query types other than A. We'll be working with the vendor to see if
they can fix that in future releases.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161018/215efb72/attachment-0003.html>

More information about the Public mailing list