[regecks]

In this context, I think "requires DNSSEC" is an opinion at best. "Requires" is probably the wrong word.

You are welcome to use CAA accounturi without DNSSEC and it will be effective.

Your zone may be vulnerable to an active man-in-the-middle DNS attack (which is hard to pull off), but it will still be protected against somebody figuring out how to upload an /.well-known/acme-challenge/ file on your domain and issue an unauthorized certificate from a foreign ACME account. This attack is much easier - I did it against a popular mail provider a few years ago.

[zinekeller]

> This attack is much easier - I did it against a popular mail provider a few years ago.

I guess this is Fastmail :)

[holigot]

Can't even understand, why they do not give us some features like IPv6, DANE, DNSSEC and so on... https://fastmail.blog/historical/fastmail-dns-hosting/

In 2014 Rob Mueller wrote: "Our future DNS plans include DNSSEC support (which then means we can also do DANE properly, which allows server-to-server email sending to be more secure), DMARC record support, and ideally one day Anycast support to make DNS lookups faster."