Closed mejofi closed 5 months ago
Thank you for calling this out.
I've resolved this by filtering the records that are checked to only the CAA records. Testing on www.ul.nl
(and www.brntn.me
) is working for me:
> python3 -m ready.ready www.ur.nl --check-filter=caa --request-filter=caa
Domain: www.ur.nl, Domain (no path): www.ur.nl, First Level Domain: ur.nl
[ OK ] DNS CAA should be enabled (['0 issue "digicert.com"', '0 issue "letsencrypt.org"', '0 issue "sectigo.com"'])
Version: 1.2.1
It looks like the
DNS CAA should be enabled
test does not climb the DNS tree, as is specified in the spec;https://datatracker.ietf.org/doc/html/rfc8659#section-3-3
This means that, if the test is run for a subdomain while CAA records are present for the domain itself, it registers as a FAIL, even though, if I am reading the spec correctly, it should pass?
Example: when testing 'www.ur.nl', it fails like this;