At Let's Encrypt, we recently started refusing to issue if there is a failure during CAA lookup, in particular a SERVFAIL. We've received a handful of reports from users who are hitting these SERVFAILs. The authoritative resolver software and the root causes seem to be somewhat different (PowerDNS is one; DNSimple's in-house resolver is another), but it seems like these only happen for people with DNSSEC enabled. For everyone reporting we can successfully resolve and validate their A records, but when querying their CAA records we get a failure to validate. One of the key differences for the CAA records is that the response is almost always empty, so it seems like the issue may be related to signing of empty responses. Additionally, we have "use-caps-for-id: yes" in our unbound config. For one of the affected domains, we can validate records when we set "use-caps-for-id: no", but other domains aren't affected.
Do you know of any issues that would cause validation failures for the particular combination of DNSSEC, empty responses, and use-caps-for-id: yes? Here are the threads from our forums: https://community.letsencrypt.org/t/powerdns-cant-find-why-caa-servfails/38127/46 https://community.letsencrypt.org/t/help-diagnosing-caa-failures-ns1-cyso-nl/38461 https://community.letsencrypt.org/t/dnsimple-caa-servfail/38459 And here is an Unbound config that is pretty close to what we have in prod (performance tuning removed, and file paths and users tweaked to run as unprivileged user): https://github.com/jsha/unboundtest/blob/master/unbound.conf Thanks, Jacob
