> On Aug 13, 2017, at 11:10 AM, Brian Candler <[email protected]> wrote: > > On 13/08/2017 18:40, Curtis Maurand wrote: >> I have a ton of websites running letsencrypt. That's great, I like it, but >> starting in April they started requiring CAA records. > > Citation needed? > > https://letsencrypt.org/docs/caa/ > > says that this is optional. ("If you don’t care about CAA, you generally > don’t have to do anything"). And I don't have any problems getting > letsencrypt certificates for a domain with no CAA records.
You don't need to have CAA records, but you need a nameserver that answers queries for CAA records. NXDOMAIN is fine. Broken dnssec will cause those queries to fail (as they're made over dnssec if available). Cheers, Steve _______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
