DNS CAA Checking FAQ

Nov 7, 2022

DNS CAA Checking FAQ

Introduction

GlobalSign offers two types of Code Signing Certificates. The methods and requirements to sign code vary from platform to platform often creating confusion for the end user. This article will clarify the differences between code signing certificate types and answer common questions on code signing requirements for different platforms.

 CAA Checking for SSL Certificates

Why am I receiving a "CAA Check Failed" error message when ordering/reissuing/renewing/adding SANs?

Due to recent updates, all CAs are now required to check the DNS CAA records of all domains being requested for a certificate. Our system has detected that your DNS CAA records contain entries, and "globalsign.com" is not one of them. Please add "globalsign.com" in your CAA entries, and try again. Please allow up to 8 hours before trying again to make sure the CAA record cache has been cleared.

How can I amend the CAA Record to ensure GlobalSign can issue certificates for my domain?

Please note that we do not fully support how DNS CAA records are added, however, you may refer to this Support Article for a general guide: How to Add CAA Record to DNS Zone File

What certificate products are affected?

All SSL certificates (Alpha, DV, OV, EV, MSSL OV and EV, OneClick, and CloudSSL and SANs) are affected, except for IntranetSSL. The DNS CAA records of the common name and all the SANs requested will be checked.

Does CAA check only happen with new orders?  

The CAA check will happen for new orders, including the common name and all SANs requested in that order, as well as for reissues, add SANs, and renewals.

Why am I getting a "servfail response" error message when approving/verifying my order?

There are several things that may cause this error including a DoS attack on DNS, use of IPSEC, or just improper DNS configurations. It could also be due to blocked traffic from our JP data center. The CA is unable to determine the cause, so the CAA check fails.
In case of blocked traffic, suggest whitelisting these IP addresses:
211.123.204.251
114.179.250.1
114.179.250.2

I am getting a timeout error when approving/verifying my order. Is there a problem on your end?

A timeout error related to CAA check looks like this: read udp 127.0.0.1:36998->127.0.0.1:53: i/o timeout.
This error indicates a DNS resolution timeout. Such timeouts result to a failure because an adversary may try to cause a timeout for any level in the domain name to block the CA from receiving a CAA record. If the initial request and the re-try both time out, the CAA checks will fail, because the CA is unable to determine the real cause of the timeout.