Symptoms

A CAA record was added to a domain either through UX1 by the owner of the domain or through PCP by Provider.


Example:

Domain name

Flag

Tag

Value

example.com.

0

issue

ca.example.net


A check on the DNS servers which run on PowerDNS shows that the record was also added:

Example:

[root@dns1 ~]# pdnsutil list-zone example.com | grep CAA
example.com      3600          IN            CAA 0 issue “ca.example.net


However, checking using (for example) dig returns no CAA record which shows that the record does not propagated (or more accurately cached) globally anytime at all.


Example:

[/home/myuser ~]# dig caa nsnk-orgel.server-queen.jp +short


                                                                                                                                                                                      ✔

Eample of request with expected answer:

[/home/myuser ~]# dig caa google.com +short
0 issue "pki.goog"


Cause

The DNS servers are running on PowerDNS version less that version 4.0.0.

PowerDNS only starts to support CAA record (type 257) per se since version 4.0.0.

Official upgrade notice from PowerDNS can be obtained from here.


To check which PowerDNS version installed on a certain DNS server, please use this command:

pdns_server --version


Resolution

CloudBlue Commerce 20.5 supports PowerDNS 4.1.4. It is officially stated in the CloudBlue Commerce 20.5 documentation here.

To upgrade to this version please follow instructions from a KCS article here.