shimile
commented
5 years ago I can also replicate this, but interestingly, on one of my domains I can and on the other I can't. It worked on a domain with 9 characters, and doesn't on a domain with 12 characters in the name - both on the same TLD and both has the exact same list of CAA records.
I went to see what else might be different, and found out that the TTL value of the records was 1 day where it didn't work and 5 minutes to where it did. So I changed the TTL to 5 minutes on the non-working domain, and lo-and-behold, now CAA check passes.
At first I thought that this might be due to DNSSEC that I have enabled for my domain, which the opener of this issue also seems to have enabled, which results in larger queries that may exceed the response size for DNS over UDP and maybe the tool fails to use TCP - but the opener of this issue only has two CAA records and a domain that is shorter than my own that did work; Could the extra number in the TTL make the difference?! Doesn't make sense to me. Especially given that my domain has 7 CAA records...
But if this data helps anyone... :)
Can you indicate why the CAA check in the test fails ? For the domain the CAA appears to be correctly set-up:
; <<>> DiG 9.10.6 <<>> CAA nexar.be ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48470 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;nexar.be. IN CAA
;; ANSWER SECTION: nexar.be. 3600 IN CAA 0 iodef "mailto:info@nexar.be" nexar.be. 3600 IN CAA 0 issue "digicert.com"
;; Query time: 31 msec ;; SERVER: 195.130.130.4#53(195.130.130.4) ;; WHEN: Sat Jan 05 14:41:23 CET 2019 ;; MSG SIZE rcvd: 107
Kind regards Dimitri