[Pdns-users] CAA Records

Steve Atkins steve at blighty.com
Sun Aug 13 18:16:48 UTC 2017


> On Aug 13, 2017, at 11:10 AM, Brian Candler <b.candler at pobox.com> wrote:
> 
> On 13/08/2017 18:40, Curtis Maurand wrote:
>> I have a ton of websites running letsencrypt.  That's great, I like it, but starting in April they started requiring CAA records.
> 
> Citation needed?
> 
> https://letsencrypt.org/docs/caa/
> 
> says that this is optional. ("If you don’t care about CAA, you generally don’t have to do anything"). And I don't have any problems getting letsencrypt certificates for a domain with no CAA records.

You don't need to have CAA records, but you need a nameserver that answers queries for CAA records. NXDOMAIN is fine.

Broken dnssec will cause those queries to fail (as they're made over dnssec if available).

Cheers,
  Steve



More information about the Pdns-users mailing list