On Tue, Oct 18, 2016 at 1:44 PM, Gervase Markham <g...@mozilla.org> wrote:

> > our investigations we've found that 0.1% of domains with a current Let's
> > Encrypt certificate return SERVFAIL for CAA.
> Does that tend to be a permanent or a temporary condition?

In this particular investigation, I ran a script that first attempted to
resolve A records for a hostname three times over the space of a couple of
days. For any hostname that had at least one successful response for an A
record, I then attempted CAA lookups three times over the space of a couple
of days, including lookups for parent domains. Any hostname that failed all
CAA lookups went in the "failed" bucket. So, on a timescale of days, they
are mostly permanent failures.

We've found one specific case of a Kemp load balancer that returns SERVFAIL
to all query types other than A. We'll be working with the vendor to see if
they can fix that in future releases.
Public mailing list

Reply via email to