There are a two main things, with regards to CAA, that can cause the delay in the issuance of a trusted "SSL" certificate. Generally, it is either ALLOWED or NOT ALLOWED and often nothing in between.
Not Authorized!
SOLUTION: Customer is using a version of Dig that does not support the use of the CAA record type. (Notice the different in the Question output) They will have to use ‘type257’ for this version, dig/BIND 9.9.6 support “CAA”. -- https://kb.isc.org/article/AA-01210/0/BIND-9.9.6-Release-Notes.html
Customer can also use Google’s GSuite Toolbox and see the SERVFAIL too -- https://toolbox.googleapps.com/apps/dig/#CAA/
There’s also DNSViz.net which can be used too.
PROBLEM: Support tried to duplicate the customer's dig results for drive.edp.com and were unsuccessful. How are we seeing "SERVFAIL" and he's seeing "NOERROR"? We asked him to enter +dnssec before @8.8.8.8 and it didn't make a difference. The outputs and screenshots are provided below.
Customer's Output:
administrator@mint-173-32 ~/.mozilla/firefox $ dig CAA drive.edp.com @8.8.8.8
; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> CAA drive.edp.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10898
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;CAA. IN A
;; Query time: 76 msec
;; SERVER: 192.168.43.1#53(192.168.43.1)
;; WHEN: Thu Jan 11 18:56:16 WET 2018
;; MSG SIZE rcvd: 21
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56504
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;drive.edp.com. IN A
;; ANSWER SECTION:
drive.edp.com. 3599 IN A 213.58.166.235
;; Query time: 308 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 11 18:56:16 WET 2018
;; MSG SIZE rcvd: 58
administrator@mint-173-32 ~/.mozilla/firefox $
administrator@mint-173-32 ~/.mozilla/firefox $
administrator@mint-173-32 ~/.mozilla/firefox $
administrator@mint-173-32 ~/.mozilla/firefox $ dig CAA drive.edp.com @dns1.host-redirect.com
; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> CAA drive.edp.com @dns1.host-redirect.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3359
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;CAA. IN A
;; Query time: 3 msec
;; SERVER: 192.168.43.1#53(192.168.43.1)
;; WHEN: Thu Jan 11 18:56:40 WET 2018
;; MSG SIZE rcvd: 21
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28993
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;drive.edp.com. IN A
;; ANSWER SECTION:
drive.edp.com. 3600 IN A 213.58.166.235
;; Query time: 48 msec
;; SERVER: 91.198.47.1#53(91.198.47.1)
;; WHEN: Thu Jan 11 18:56:40 WET 2018
;; MSG SIZE rcvd: 58
administrator@mint-173-32 ~/.mozilla/firefox $ dig CAA drive.edp.com @dns2.host-redirect.com
; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> CAA drive.edp.com @dns2.host-redirect.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8557
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;CAA. IN A
;; Query time: 80 msec
;; SERVER: 192.168.43.1#53(192.168.43.1)
;; WHEN: Thu Jan 11 18:56:47 WET 2018
;; MSG SIZE rcvd: 21
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26499
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;drive.edp.com. IN A
;; ANSWER SECTION:
drive.edp.com. 3600 IN A 213.58.166.235
;; Query time: 328 msec
;; SERVER: 194.8.30.2#53(194.8.30.2)
;; WHEN: Thu Jan 11 18:56:47 WET 2018
;; MSG SIZE rcvd: 58
administrator@mint-173-32 ~/.mozilla/firefox $ dig CAA drive.edp.com @9.9.9.9
; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> CAA drive.edp.com @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27914
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;CAA. IN A
;; Query time: 7 msec
;; SERVER: 192.168.43.1#53(192.168.43.1)
;; WHEN: Thu Jan 11 18:57:31 WET 2018
;; MSG SIZE rcvd: 21
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30443
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;drive.edp.com. IN A
;; ANSWER SECTION:
drive.edp.com. 3600 IN A 213.58.166.235
;; Query time: 428 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Thu Jan 11 18:57:31 WET 2018
;; MSG SIZE rcvd: 58
administrator@mint-173-32 ~/.mozilla/firefox $ dig CAA drive.edp.com @8.8.8.8
; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> CAA drive.edp.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12971
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;CAA. IN A
;; Query time: 122 msec
;; SERVER: 192.168.43.1#53(192.168.43.1)
;; WHEN: Thu Jan 11 18:59:04 WET 2018
;; MSG SIZE rcvd: 21
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48670
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;drive.edp.com. IN A
;; ANSWER SECTION:
drive.edp.com. 3599 IN A 213.58.166.235
;; Query time: 328 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 11 18:59:05 WET 2018
;; MSG SIZE rcvd: 58
Support's Output:
<<>> DiG 9.10.5-P3 <<>> CAA drive.edp.com +dnssec @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59542
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;drive.edp.com. IN CAA
;; Query time: 138 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 11 15:08:34 Eastern Standard Time 2018
;; MSG SIZE rcvd: 42