It's not the only reason. There are also delegations to inaccessible DNS servers for internal-only zones.
I was referring to "failed closed." Using a TXT record may have been better, but it wouldn't have been sufficient to permit fail closed behavior.
-
-
OK, I’m totally confused. Fail closed as in no CAA = no cert? That seems a priori impossible.
-
The question is what to do if the DNS query fails (e.g. timeout, SERVFAIL). "Fail closed" means forbid issuance when that happens, but too many DNS servers are busted for that to be viable. A successful response indicating no CAA record would still permit issuance.
-
Ah, gotcha. This makes perfect sense, thanks!
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.