(Renaming this branch of the thread to reflect the topic) On 07/21/2017 09:12 AM, Markus Gutschke wrote: > It's great to hear that PowerDNS found and fixed the bug. > By default, [Xenial] ships with a version of PowerDNS that lags behind > the official 4.0.x > branch: https://packages.ubuntu.com/xenial/pdns-server. This is of > course not uncommon for Linux distributions. And as far as I can tell, > this particular version doesn't even have support for CAA, but I am > not sure whether that would be a good or a bad thing in this > particular situation. Lack of support for CAA doesn't make a difference. A server that doesn't understand CAA queries will respond with an empty NOERROR, the same as a server that understands CAA queries but has no resource records of that type. The problem comes in with the signing of the response. > Personally, I could probably upgrade to a newer version of PowerDNS > without too much hassle. But if every Ubuntu user needs to do that, > that's going to require a lot of coordination. Has anybody tried > getting Ubuntu to officially backport the bug fix into Xenial? That's a very good idea. I don't think anyone has; would you like to lead that effort? I could introduce you to the person who helps Certbot maintain Ubuntu packages. He might have some ideas about the correct process to follow.