A strange problem when using unboundtest.com

13916028997 · November 2, 2021, 10:03am

I'm working to issue a cert by dns-01 and failed at the TXT validation step. Then I tried to find some hints by using unboundtest.com. Here is the problem:

If I put a short TXT value('CS1C7EORFek'), unboundtest.com will work fine with 'NOERROR' and right 'ANSWER SECTION'
https://unboundtest.com/m/TXT/_acme-challenge.lutest.luagent.com/S3UEARN7

If I put a long TXT value('CS1C7EORFekCS1C7EORFek'), unboundtest.com will fail with 'SERVFAIL' and no 'ANSWER SECTION'.
https://unboundtest.com/m/TXT/_acme-challenge.lutest.luagent.com/NLXWOLOM

Is there any other guys have met the same problem?
I alow attached these two logs in case of unboundtest link disappear.
long_txt_log.txt.txt (7.6 KB)
short_txt_log.txt.txt (7.3 KB)

bruncsak · November 2, 2021, 10:13am

Some or all of the DNS servers for the zone luagent.com are not reachable via TCP. That is a "must" for authoritative name servers.

$ dig +tcp lutest.luagent.com @101.89.64.126
;; Connection to 101.89.64.126#53(101.89.64.126) for lutest.luagent.com failed: connection refused.

13916028997 · November 2, 2021, 10:19am

Thanks. I've also noticed this and I'm traceing this connection issue in the meantime.
But I'm still confused why the short TXT case is OK(I've tested several times)

bruncsak · November 2, 2021, 10:21am

If the UDP DNS packet size exceed certain limit (truncate flag on), the resolver supposed to retry in TCP to get the full data.

13916028997 · November 3, 2021, 6:09am

Thanks.

rg305 · November 3, 2021, 6:24am

13916028997 · November 4, 2021, 7:29am

That's it! 120.52.138.16 and 123.58.238.36 are both offline server and wrongly configured in luagent.com NS results. Now they are removed and TXT works fine. Thanks for your help.

system · December 4, 2021, 7:29am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.