On 18/10/16 11:26, Jacob Hoffman-Andrews wrote:
> DNS fail open or closed: Let's Encrypt currently treats a SERVFAIL when
> looking up CAA as "no CAA record present, okay to issue." However, we
> are working to change this, so a CAA SERVFAIL will prevent issuance. In
> our investigations we've found that 0.1% of domains with a current Let's
> Encrypt certificate return SERVFAIL for CAA.
Does that tend to be a permanent or a temporary condition?
Public mailing list