DigiCert: RapidSSL CAA Mis-Issuance: Lookup failure on DNSSEC-signed zone

This case involves a mis-issuance of a certificate by DigiCert for a domain that was DNSSEC-signed but had a misconfigured server that did not respond to CAA queries. The certificate was issued despite the failure to retrieve the necessary CAA record, which should have prevented issuance according to CAB guidelines. Following the report, DigiCert confirmed the issue, revoked the certificate, and implemented a patch to prevent similar occurrences in the future.

1. 2017-10-13 Complaint received regarding certificate issuance
2. 2017-10-18 Issue confirmed and revocation ordered
3. 2017-10-19 Certificate revoked
4. 2017-11-09 Patch applied to fix CAA record checking