A RECORD SERVFAIL only with 8.8.8.8


#1

Hello.

When I try to run letsencrypt I get these errors:

response: {"name":"CertbotError","code":1,"message":"('xn--80aaaszlmpkyl0e9a.xn--p1ai', \"b'Failed authorization procedure. xn--80aaaszlmpkyl0e9a.xn--p1ai (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for xn--80aaaszlmpkyl0e9a.xn--p1ai\\\\n'\")","extra":null}

When I run dig аэросъемкауфа.рф @8.8.8.8, I get result:

; <<>> DiG 9.9.5-3ubuntu0.17-Ubuntu <<>> аэросъемкауфа.рф @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24732
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;аэросъемкауфа.рф. IN A

;; Query time: 13 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jan 07 07:08:03 MSK 2019
;; MSG SIZE rcvd: 59

I don’t understant, why Google don’t see A-record for domain.


#2

Hi,

In short:
You have an incomplete DNSSEC setup.
Contact your registrar and ask them to remove the DNSSEC for you. (That should resolve the issue)

Long response:
Google Public DNS, like all other DNS resolvers, does see your A record.
However, because you enabled DNSSEC (at registrar level, but not inside your DNS zone), DNS servers that check DNSSEC would return a serverfail for not setup DNSSEC correctly.

You have DNSSEC (key 50281) enabled at your domain registrar, but your DNS zone does not serve that key.
Checking with Unboundtest returned with serverfail because “Missing DNSKEY RRset in response to DNSKEY query.”
https://unboundtest.com/m/A/xn--80aaaszlmpkyl0e9a.xn--p1ai/TIXPFR2T

Checking with DNSVIZ returned the same error.
http://dnsviz.net/d/xn--80aaaszlmpkyl0e9a.xn--p1ai/dnssec/

Also with letsdebug.net.
https://letsdebug.net/xn--80aaaszlmpkyl0e9a.xn--p1ai/14858

Thank you


#3

Thank you very much!