I'm working to issue a cert by dns-01 and failed at the TXT validation step. Then I tried to find some hints by using unboundtest.com. Here is the problem:
If I put a short TXT value('CS1C7EORFek'), unboundtest.com will work fine with 'NOERROR' and right 'ANSWER SECTION'
https://unboundtest.com/m/TXT/_acme-challenge.lutest.luagent.com/S3UEARN7
If I put a long TXT value('CS1C7EORFekCS1C7EORFek'), unboundtest.com will fail with 'SERVFAIL' and no 'ANSWER SECTION'.
https://unboundtest.com/m/TXT/_acme-challenge.lutest.luagent.com/NLXWOLOM
Is there any other guys have met the same problem?
I alow attached these two logs in case of unboundtest link disappear.
long_txt_log.txt.txt (7.6 KB)
short_txt_log.txt.txt (7.3 KB)
Some or all of the DNS servers for the zone luagent.com are not reachable via TCP. That is a "must" for authoritative name servers.
$ dig +tcp lutest.luagent.com @101.89.64.126
;; Connection to 101.89.64.126#53(101.89.64.126) for lutest.luagent.com failed: connection refused.
Thanks. I've also noticed this and I'm traceing this connection issue in the meantime.
But I'm still confused why the short TXT case is OK(I've tested several times)
If the UDP DNS packet size exceed certain limit (truncate flag on), the resolver supposed to retry in TCP to get the full data.
That's it! 120.52.138.16 and 123.58.238.36 are both offline server and wrongly configured in luagent.com NS results. Now they are removed and TXT works fine. Thanks for your help.
