On Tue, Jul 03, 2018 at 07:50:00PM +0000, Tim Hollebeek wrote: > One of the things we found out with CAA is that this extremely optimistic view > of the support for unknown RR types by large hosting providers is not > accurate.
As context, problems with CAA were not limited to various DNS hosters not supporting it or DNS recursives choking on it, but also things like: 1) Broken replies from _authoritative_ nameservers for CAA queries. 2) Timeouts from _authoritative_ nameservers for CAA queries. 3) Broken DNSSEC proofs for empty record sets. The most worrisome here is the 2). Even with good DNS recursive, you would still take timeouts. There are quite a bit of CAA-related problem reports on Let's Encrypt forums. Those are almost never of incorrect CAA records and rarely questions on how to add CAA, but generally problems caused by some authoritative nameserver being broken and causing CAA lookups to fail or return bogus answers. -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
