Are SOA results returned for CAA queries where no CAA record exists?

[webprofusion-chrisc]

Recently Let's Encrypt updated their CAA validation by way of an upgrade to Unbound (the system they use for DNS validation). As a result of stricter checks (or possibly a Unbound bug) checks for CAA records against some DNS servers are resulting in a SERVFAIL result where a NODATA response returns no SOA results in the response (regarding RFC2308)

https://community.letsencrypt.org/t/caa-requests-resulting-in-servfail-since-dec-12th/210334/11

https://community.letsencrypt.org/t/renew-produced-an-unexpected-error/210436/2

This specifically seems to affect hover.com DNS services who may be using a version of PowerDNS.

Can anyone confirm if PowerDNS would be affected by this or if this issue has previously been fixed?

[Habbie]

PowerDNS should not be affected, and in fact I cannot think of an older version that would be. Do you have a reproducible example, perhaps using https://unboundtest.com/?

[webprofusion-chrisc]

I'm not the actual PowerDNS user so I can only say that anecdotally hover.com are said to be using PowerDNS ( via someone else's support conversation with hover.com).

An example CAA query with no SOA result:
dig www.whatsmyip.org -t CAA

vs an example with SOA:
dig whatsmyip.org -t CAA

Let's Encrypt have now performed an expedited upgrade to Unbound 1.19 in response to this general issue.

Unboundtest is still running 1.18 at this exact time, so it returns the SERVFAIL. I expect this will get switched to 1.19 as well pretty soon:
https://unboundtest.com/m/CAA/www.whatsmyip.org/BNWDGMH3

As a result of Let's Encrypt update this issue may now go away.

It's possible PowerDNS is indeed not affected, just flagging this up as a potential issue.

[webprofusion-chrisc]

Unrelated comment (regarding CAA support) from hover.com suggests that they use an older version of PowerDNS: https://www.thesslstore.com/knowledgebase/caa-records/how-to-add-a-caa-record-on-hover/

[mnordhoff]

I did a little archaeology, and I think it is most likely true that Hover is using an older version of PowerDNS.

However, I have no clue why their negative responses don't include an SOA record. If it's a bug, it has almost certainly been fixed. It could be due to something peculiar about Hover's setup. It might be a bug triggered by something peculiar about Hover's setup. :D

[taam]

As far as I know, PowerDNS still does have that bug in case ALIAS records are involved. This topic has first been posted in the issue explaining that: #4556

There might be other reasons, but can we rule this one out?

[Habbie]

Given how old the version that Hover runs is, we can rule out ALIAS, as it did not exist back then.