On Tue, Oct 18, 2016 at 1:44 PM, Gervase Markham <g...@mozilla.org> wrote:

> > our investigations we've found that 0.1% of domains with a current Let's
> > Encrypt certificate return SERVFAIL for CAA.
>
> Does that tend to be a permanent or a temporary condition?
>

In this particular investigation, I ran a script that first attempted to
resolve A records for a hostname three times over the space of a couple of
days. For any hostname that had at least one successful response for an A
record, I then attempted CAA lookups three times over the space of a couple
of days, including lookups for parent domains. Any hostname that failed all
CAA lookups went in the "failed" bucket. So, on a timescale of days, they
are mostly permanent failures.

We've found one specific case of a Kemp load balancer that returns SERVFAIL
to all query types other than A. We'll be working with the vendor to see if
they can fix that in future releases.
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

Reply via email to