Another CAA record failure issue

alento · February 17, 2019, 1:47pm

I just 10 seconds ago restarted NSD.

rg305 · February 17, 2019, 1:48pm

I see no improvement

Osiris · February 17, 2019, 1:50pm

You can test for yourself:

osiris@erazer ~ $ dig @ns1.box.miabdnstest.ml +dnssec miabdnstest.ml CAA

; <<>> DiG 9.11.1-P3 <<>> @ns1.box.miabdnstest.ml +dnssec miabdnstest.ml CAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 32967
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;miabdnstest.ml.			IN	CAA

;; Query time: 203 msec
;; SERVER: 205.185.124.235#53(205.185.124.235)
;; WHEN: Sun Feb 17 14:48:34 CET 2019
;; MSG SIZE  rcvd: 43

osiris@client ~ $

You might be able to increase the verbosity of the logging of your DNS server. Then, do something like tail -f on the relevant log file and try the above dig command: it should produce something in the log, hopefully a pointer to what's wrong. If not, increase verbosity further and try again or try the correct log file.

alento · February 17, 2019, 1:51pm

@rg305

The .yaml file …

This file describes the network interfaces available on your system

For more information, see netplan(5).

network:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: yes
nameservers:
search: [mydomain, otherdomain]
addresses: [1.1.1.1, 8.8.8.8, 4.4.4.4]
01-netcfg.yaml (END)

Is this the culprit???

search: [mydomain, otherdomain]

(I copied and pasted so do not know if that line really belongs there or not)

rg305 · February 17, 2019, 2:18pm

There is no DNS at 4.4.4.4 (that I know of).
I don know of 8.8.4.4
and 4.2.2.2
[actually 4.2.2.1 - 4.2.2.6]

does that really say
"search: [mydomain, otherdomain]"
that can't be good!

I would rem that out and restart and recheck.

rg305 · February 17, 2019, 2:21pm

In (re)review, this file seems unrelated to an actual nameserver config.
It seems more like a file that would go onto any similar system (even those NOT being used as a nameserver).
Like just settings found in ifconfig / ipconfig
[found on every NIC on every system]

Is this you first nameserver?

alento · February 17, 2019, 2:23pm

Just to be specific that is the .yaml file for netplan … where the resolvers needed to be set.

I have tried increasing the verbosity of nsd and I am not getting any more log entries than I was getting … which was only nsd starting up.

rg305 · February 17, 2019, 2:24pm

OK so that only provides your system a way to obtain DNS (i.e. DNS client).
The problem is with the DNS server.

alento · February 17, 2019, 2:25pm

Right, exactly! However when I started this mess I was unable to resolve anything. Hence the need to edit that file.

rg305 · February 17, 2019, 2:28pm

OK.
So can you get DNS now?
Did that fix the DNS server issue?

alento · February 17, 2019, 2:31pm

As far as the server resolving anything yea that is fixed … as far as the server serving any DNS records, no … something is horribly wrong. I have installed this system dozens of times, and in the past it has always just worked. I think that I am going to destroy the VPS and start over.

Sadly, I am admittedly a n00b when it comes to the deep down details of nsd server and configuring one, etc.

Thanks for all the attempts at helping @rg305 @Osiris and @JuergenAuer … may the next attempt go better. If nothing else you guys showed me some neat tools.

rg305 · February 17, 2019, 2:39pm

Sadly I an also a noob to that particular DNS software.
[so much so that when I first read “NSD” in your post I immediately thought “TYPO” and just read it as “DNS”]

I do however speak geek on other DNS software; But not on that one

_az · February 17, 2019, 8:48pm

Your DNS servers appear to have the basic ability to respond to queries for the box. zone:

$ dig +noall +answer @ns1.box.miabdnstest.ml box.miabdnstest.ml soa
box.miabdnstest.ml.     1800    IN      SOA     ns1.box.miabdnstest.ml. hostmaster.box.miabdnstest.ml. 2019021700 7200 1800 1209600 1800

So I would take a look in /etc/nsd/zones/ and see if the zone for ‘just’ miabdnstest.ml is missing.

If it’s missing, check what the PRIMARY_HOSTNAME is set to (it should be set to mlabdnstest.ml):

grep PRIMARY_HOSTNAME /etc/mailinabox.conf

All of this stuff should be automatically generated during setup when you are prompted to nominate your email address (contact@mlabdnstest.ml) and your hostname (box.mlabdnstest.ml).

If something goes wrong during the initial setup or you didn’t provide the above setup answers, I can see how the right zonefiles might not get generated.

alento · February 17, 2019, 9:50pm

@_az

BINGO!

There was no zone file for miabdnstest.ml, as there had not been an email address created for the naked domain yet. Once I added an email@miabdnstest.ml, the cert provisioned with no issues.

Thank you for pointing me in the right direction.

system · March 19, 2019, 9:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.