Another CAA record failure issue


I just 10 seconds ago restarted NSD.


I see no improvement :frowning:


You can test for yourself:

osiris@erazer ~ $ dig +dnssec CAA

; <<>> DiG 9.11.1-P3 <<>> +dnssec CAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 32967
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags: do; udp: 4096
;			IN	CAA

;; Query time: 203 msec
;; WHEN: Sun Feb 17 14:48:34 CET 2019
;; MSG SIZE  rcvd: 43

osiris@client ~ $ 

You might be able to increase the verbosity of the logging of your DNS server. Then, do something like tail -f on the relevant log file and try the above dig command: it should produce something in the log, hopefully a pointer to what’s wrong. If not, increase verbosity further and try again or try the correct log file.



The .yaml file …

This file describes the network interfaces available on your system

For more information, see netplan(5).

version: 2
renderer: networkd
dhcp4: yes
search: [mydomain, otherdomain]
addresses: [,,]
01-netcfg.yaml (END)

Is this the culprit???

search: [mydomain, otherdomain]

(I copied and pasted so do not know if that line really belongs there or not)


There is no DNS at (that I know of).
I don know of
[actually -]

does that really say
“search: [mydomain, otherdomain]”
that can’t be good!

I would rem that out and restart and recheck.


In (re)review, this file seems unrelated to an actual nameserver config.
It seems more like a file that would go onto any similar system (even those NOT being used as a nameserver).
Like just settings found in ifconfig / ipconfig
[found on every NIC on every system]

Is this you first nameserver?


Just to be specific that is the .yaml file for netplan … where the resolvers needed to be set.

I have tried increasing the verbosity of nsd and I am not getting any more log entries than I was getting … which was only nsd starting up.


OK so that only provides your system a way to obtain DNS (i.e. DNS client).
The problem is with the DNS server.


Right, exactly! However when I started this mess I was unable to resolve anything. Hence the need to edit that file.


So can you get DNS now?
Did that fix the DNS server issue?


As far as the server resolving anything yea that is fixed … as far as the server serving any DNS records, no … something is horribly wrong. I have installed this system dozens of times, and in the past it has always just worked. I think that I am going to destroy the VPS and start over.

Sadly, I am admittedly a n00b when it comes to the deep down details of nsd server and configuring one, etc. :frowning:

Thanks for all the attempts at helping @rg305 @Osiris and @JuergenAuer … may the next attempt go better. If nothing else you guys showed me some neat tools. :slight_smile:

1 Like

Sadly I an also a noob to that particular DNS software.
[so much so that when I first read “NSD” in your post I immediately thought “TYPO” and just read it as “DNS”]

I do however speak geek on other DNS software; But not on that one :frowning:


Your DNS servers appear to have the basic ability to respond to queries for the box. zone:

$ dig +noall +answer soa     1800    IN      SOA 2019021700 7200 1800 1209600 1800

So I would take a look in /etc/nsd/zones/ and see if the zone for ‘just’ is missing.

If it’s missing, check what the PRIMARY_HOSTNAME is set to (it should be set to

grep PRIMARY_HOSTNAME /etc/mailinabox.conf

All of this stuff should be automatically generated during setup when you are prompted to nominate your email address ( and your hostname (

If something goes wrong during the initial setup or you didn’t provide the above setup answers, I can see how the right zonefiles might not get generated.




There was no zone file for, as there had not been an email address created for the naked domain yet. Once I added an, the cert provisioned with no issues.

Thank you for pointing me in the right direction. :slight_smile:

closed #35

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.