[Pdns-users] CAA Records

Steve Atkins steve at blighty.com
Sun Aug 13 18:16:48 UTC 2017

> On Aug 13, 2017, at 11:10 AM, Brian Candler <b.candler at pobox.com> wrote:
> On 13/08/2017 18:40, Curtis Maurand wrote:
>> I have a ton of websites running letsencrypt.  That's great, I like it, but starting in April they started requiring CAA records.
> Citation needed?
> https://letsencrypt.org/docs/caa/
> says that this is optional. ("If you don’t care about CAA, you generally don’t have to do anything"). And I don't have any problems getting letsencrypt certificates for a domain with no CAA records.

You don't need to have CAA records, but you need a nameserver that answers queries for CAA records. NXDOMAIN is fine.

Broken dnssec will cause those queries to fail (as they're made over dnssec if available).


More information about the Pdns-users mailing list