[Pdns-users] CAA Records
steve at blighty.com
Sun Aug 13 18:16:48 UTC 2017
> On Aug 13, 2017, at 11:10 AM, Brian Candler <b.candler at pobox.com> wrote:
> On 13/08/2017 18:40, Curtis Maurand wrote:
>> I have a ton of websites running letsencrypt. That's great, I like it, but starting in April they started requiring CAA records.
> Citation needed?
> says that this is optional. ("If you don’t care about CAA, you generally don’t have to do anything"). And I don't have any problems getting letsencrypt certificates for a domain with no CAA records.
You don't need to have CAA records, but you need a nameserver that answers queries for CAA records. NXDOMAIN is fine.
Broken dnssec will cause those queries to fail (as they're made over dnssec if available).
More information about the Pdns-users