Another CAA record failure issue

Similar to the thread Requesting a certificate for a subdomain fails since it doesn't have CAA record

I am installing Mail-in-a-Box which uses an implementation of LE.

The error message (log?) is:

Log:

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Performing the following challenges: http-01 challenge for somedomain.somewhere.com http-01 challenge for box.miabdnstest.ml http-01 challenge for www.box.miabdnstest.ml Using the webroot path /home/user-data/ssl/lets_encrypt/webroot for all unmatched domains. Waiting for verification… Cleaning up challenges Failed authorization procedure. box.miabdnstest.ml (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for miabdnstest.ml, www.box.miabdnstest.ml (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for miabdnstest.ml IMPORTANT NOTES: - The following errors were reported by the server: Domain: box.miabdnstest.ml Type: None Detail: DNS problem: SERVFAIL looking up CAA for miabdnstest.ml Domain: www.box.miabdnstest.ml Type: None Detail: DNS problem: SERVFAIL looking up CAA for miabdnstest.ml

Name resolution is working fine … thoughts please?

It isn't about name resolution, it's about the CAA record which is broken:

https://unboundtest.com/m/CAA/miabdnstest.ml/O2B4RGD6

There is no CAA record set … let me look at the link.

Why suddenly MUST there be a CAA record ??? It has never been REQUIRED before…

Your DNS-servers reply with the wrong answer when asked for a CAA record.

It isn't required. The problem is, your DNS server replies with an error (REFUSED). It's perfectly fine for your DNS servers to reply with "your request is accepted, but I don't have a CAA record, sorry dude" (i.e., a NOERROR response without an answer).

Admittedly, I am not familiar with the unbound logs that you linked … can you show me the specific error please ? Thanks!

Because I am seeing this …

Feb 17 12:55:31 unbound[5588:0] info: response for ns1.box.miabdnstest.ml. AAAA IN Feb 17 12:55:31 unbound[5588:0] info: reply from <box.miabdnstest.ml.> 205.185.124.235#53 Feb 17 12:55:31 unbound[5588:0] info: query response was nodata ANSWER Feb 17 12:55:31 unbound[5588:0] info: response for ns2.box.miabdnstest.ml. AAAA IN Feb 17 12:55:31 unbound[5588:0] info: reply from <miabdnstest.ml.> 205.185.124.235#53 Feb 17 12:55:31 unbound[5588:0] info: query response was nodata ANSWER

I am not seeing any REFUSED …

Crap … now I have been rate limited. I guess I need to wait an hour …

Hi @alento

you have to check your nameserver ( https://check-your-website.server-daten.de/?q=miabdnstest.ml ):

Same with the CAA check:

CAA - Entries

Your account may be blocked.

But your nameservers:

Is this an own configuration? Two nameserver with the same ip?

Then your nameserver doesn't work, perhaps it's buggy.

If you have fixed these problems -> then try again to get a certificate.

Errors found by DNSvis:

miabdnstest.ml zone: The server(s) responded over TCP with a malformed response or with an invalid RCODE. (205.185.124.235)
miabdnstest.ml zone: The server(s) responded over UDP with a malformed response or with an invalid RCODE. (205.185.124.235)
miabdnstest.ml/A: The response had an invalid RCODE (REFUSED). (205.185.124.235, UDP_-_EDNS0_4096_D_K)
miabdnstest.ml/AAAA: The response had an invalid RCODE (REFUSED). (205.185.124.235, UDP_-_EDNS0_4096_D_K)
miabdnstest.ml/DNSKEY: The response had an invalid RCODE (REFUSED). (205.185.124.235, UDP_-_EDNS0_4096_D_K, UDP_-_EDNS0_512_D_K)
miabdnstest.ml/MX: The response had an invalid RCODE (REFUSED). (205.185.124.235, UDP_-_EDNS0_4096_D_K, UDP_-_EDNS0_512_D_K)
miabdnstest.ml/NS: The response had an invalid RCODE (REFUSED). (205.185.124.235, UDP_-_EDNS0_4096_D_K)
miabdnstest.ml/SOA: The response had an invalid RCODE (REFUSED). (205.185.124.235, TCP_-_EDNS0_4096_D_)
miabdnstest.ml/SOA: The response had an invalid RCODE (REFUSED). (205.185.124.235, UDP_-_EDNS0_4096_D_K, UDP_-_EDNS0_4096_D_K_0x20)
miabdnstest.ml/TXT: The response had an invalid RCODE (REFUSED). (205.185.124.235, UDP_-_EDNS0_4096_D_K)

Hmmm … interesting. I am upgrading Mail-in-a-Box to a newer version on a current release of Ubuntu (18.04 LTS) … everything worked fine on the previous version. I will have to check over there to see what may be causing this. I have not seen anything similar on their forums … yet…

Those errors are DNS related.

Yes, of course … Mail-in-a-Box runs it’s own DNS servers for the domains it handles.

Oh!!!
[they should probably stick to doing mail then]

nslookup -q=ns miabdnstest.ml # first try timed out

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

nslookup -q=ns miabdnstest.ml # second try worked but returns only one IP
miabdnstest.ml nameserver = ns1.box.miabdnstest.ml
miabdnstest.ml nameserver = ns2.box.miabdnstest.ml
ns1.box.miabdnstest.ml internet address = 205.185.124.235
ns2.box.miabdnstest.ml internet address = 205.185.124.235

Normally there is NEVER any issues … there must be some bug in my reinstall.

And yes … poor implementation but at the moment there is only one IP for the name server, which is against RFC but works (except for a few specific TLD’s).

? ? ?

Here is another take on the same DNS issue:
https://dnsspy.io/scan/miabdnstest.ml

first twenty runs all showing same:

image1255×777 54.3 KB

I am not a DNS pro by any means … but I could have made an error while updating the nameservers in the .yaml file …

I don’t think you are part of this problem.
That is a DNS server.
It just isn’t doing its’ job right now - at least nor correctly.

Yeah, but it is a name server that I am running … so that makes it my problem.

Well now we’re getting somewhere!
How is it doing on resources?
Can you restart it?

I would restart the DNS service and recheck the system and also check the .yaml file for any errors/typos.