Green: people who like one kind of DNS dance more likely to like other kinds too. (Also: even among CAA users, only 1/8 signed.) Yellow: if you’re going to deploy a new DNS-based signaling system, you need to use TXT.pic.twitter.com/ZSceABuBxH
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
I was referring to "failed closed." Using a TXT record may have been better, but it wouldn't have been sufficient to permit fail closed behavior.
OK, I’m totally confused. Fail closed as in no CAA = no cert? That seems a priori impossible.
The question is what to do if the DNS query fails (e.g. timeout, SERVFAIL). "Fail closed" means forbid issuance when that happens, but too many DNS servers are busted for that to be viable. A successful response indicating no CAA record would still permit issuance.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.