[cabfpub] Continuing the discussion on CAA
jsha at letsencrypt.org
Tue Oct 18 14:46:47 MST 2016
On Tue, Oct 18, 2016 at 1:44 PM, Gervase Markham <gerv at mozilla.org> wrote:
> > our investigations we've found that 0.1% of domains with a current Let's
> > Encrypt certificate return SERVFAIL for CAA.
> Does that tend to be a permanent or a temporary condition?
In this particular investigation, I ran a script that first attempted to
resolve A records for a hostname three times over the space of a couple of
days. For any hostname that had at least one successful response for an A
record, I then attempted CAA lookups three times over the space of a couple
of days, including lookups for parent domains. Any hostname that failed all
CAA lookups went in the "failed" bucket. So, on a timescale of days, they
are mostly permanent failures.
We've found one specific case of a Kemp load balancer that returns SERVFAIL
to all query types other than A. We'll be working with the vendor to see if
they can fix that in future releases.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public