Internal: CAA Record DNSSEC Issues

August 30, 2018

-We, as a CA, need to conform to CA/Browser Forum requirements.
As of early Sept 2017, we CAs are REQUIRED to check for the existence of CAA record(s) against a given public registrable dnsName (e.g.
and we will need to follow CNAME & DNAME, if broadcasted within DNS. Additionally,
We need to validate DNSSEC signatures within all levels of the requested dnsName. (RFC6844, for reference;

  • -We have to check for the existence of CAA records at all levels AND validate DNSSEC signatures on top of following all C & DNAMES
  • -A zone can be unsigned That won't matter
  • -Additionally, if we do not receive a response, from their systems, in 2 seconds, we timeout.
  • -Please fix the DNSSEC issues on those domains and we will be able to issue your certificate

Please see (include links to verisign DNSSEC checker)

another link can help troubleshoot the issue with DNSSEC

Thank you