Currently, if an error occurs during a CAA lookup, e.g.
- The response is garbage
- Someone pulls the network cable (I/O error)
we treat such situations as "permission to issue" if there is no valid DNSSEC on the domain we are querying CAA records for.
According to the baseline requirements, we are allowed to treat the lookup as permission to issue if the error occurs outside the CAs infrastructure.
However, if the CA runs its own DNS resolver they may want to disable this option to avoid mis-issuance of certificates if their internal DNS responder becomes unstable. Preferably, this can be an option in the admin GUI.