[Pdns-users] CAA Records
Steve Atkins
steve at blighty.com
Sun Aug 13 18:16:48 UTC 2017
> On Aug 13, 2017, at 11:10 AM, Brian Candler <b.candler at pobox.com> wrote:
>
> On 13/08/2017 18:40, Curtis Maurand wrote:
>> I have a ton of websites running letsencrypt. That's great, I like it, but starting in April they started requiring CAA records.
>
> Citation needed?
>
> https://letsencrypt.org/docs/caa/
>
> says that this is optional. ("If you don’t care about CAA, you generally don’t have to do anything"). And I don't have any problems getting letsencrypt certificates for a domain with no CAA records.
You don't need to have CAA records, but you need a nameserver that answers queries for CAA records. NXDOMAIN is fine.
Broken dnssec will cause those queries to fail (as they're made over dnssec if available).
Cheers,
Steve
More information about the Pdns-users
mailing list