On Tuesday, January 2, 2018 at 10:35:02 AM UTC-5, r1ch wrote:
I recently deployed CAA on obsproject.com
using Cloudflare. It's been over a week and the CAA record shows up fine using any number of public tools, but Google DNS cannot resolve it both with and without DNSSEC.
This does appear to be visible now at https://dns.google.com/query?name=obsproject.com&type=CAA and using UDP queries via `dig CAA obsproject.com @220.127.116.11`.
I've tried using the cache purge tool, but it doesn't support purging CAA records, and reports "Unexpected error! Please <a href="" href="https://code.google.com/a/google.com/p/public-dns/issues/list" target="_blank" rel="nofollow" _onmousedown_="this.href="" true;" _onclick_="this.href='https://code.google.com/a/google.com/p/public-dns/issues/list';return true;">https://code.google.com/a/google.com/p/public-dns/issues/list">submit us an issue</a>." when trying to purge any other record type.
The unexpected error problems (https://issuetracker.google.com/issues/70826798) have been fixed, but flushing the cache of CAA records is explicitly not supported, as it could be used in combination with a cache poisoning attack. Given the security sensitive nature of CAA records (and the fact that most of them are in domains that are not DNSSEC-signed) the limited benefit (most CAs, like letsencrypt.org and others, do not use Google Public DNS in any case) didn't seem to justify adding this.
I created https://issuetracker.google.com/issues/73183199 as a feature request for adding CAA flush support for DNSSEC-signed domains, but even in that case it might not be a good idea, given the number of recent DNSSEC vulnerabilities involving the ability to forge NODATA replies that pass DNSSEC validation: