Maintained by: NLnet Labs

Issues with DNSSEC, use-caps-for-id, and empty responses

Jacob Hoffman-Andrews
Thu Jul 20 07:39:10 CEST 2017


At Let's Encrypt, we recently started refusing to issue if there is a
failure during CAA lookup, in particular a SERVFAIL. We've received a
handful of reports from users who are hitting these SERVFAILs. The
authoritative resolver software and the root causes seem to be somewhat
different (PowerDNS is one; DNSimple's in-house resolver is another),
but it seems like these only happen for people with DNSSEC enabled. For
everyone reporting we can successfully resolve and validate their A
records, but when querying their CAA records we get a failure to
validate. One of the key differences for the CAA records is that the
response is almost always empty, so it seems like the issue may be
related to signing of empty responses. Additionally, we have
"use-caps-for-id: yes" in our unbound config. For one of the affected
domains, we can validate records when we set "use-caps-for-id: no", but
other domains aren't affected.

Do you know of any issues that would cause validation failures for the
particular combination of DNSSEC, empty responses, and use-caps-for-id: yes?

Here are the threads from our forums:

https://community.letsencrypt.org/t/powerdns-cant-find-why-caa-servfails/38127/46
https://community.letsencrypt.org/t/help-diagnosing-caa-failures-ns1-cyso-nl/38461
https://community.letsencrypt.org/t/dnsimple-caa-servfail/38459

And here is an Unbound config that is pretty close to what we have in
prod (performance tuning removed, and file paths and users tweaked to
run as unprivileged user):

https://github.com/jsha/unboundtest/blob/master/unbound.conf

Thanks,
Jacob