CAA failure on vn ccTLD


#1

Hello,

Last night I received a reports of further problems in VN :frowning:

Error during certificate generation: acme error ‘caa’: Error creating new cert :: Rechecking CAA: While processing CAA for www.apphome.com.vn: DNS problem: SERVFAIL looking up CAA for vn, While processing CAA for apphome.com.vn: DNS problem: SERVFAIL looking up CAA for vn, While processing CAA for mail.apphome.com.vn: DNS problem: SERVFAIL looking up CAA for vn, aborting

Is there any further detail from the CA side on the problem? Is it still happening/was it intermittent/was there a clear start and conclusion?


#2

That’s more an issue for the vn ccTLD vendor - it’s nothing the CA can control. The .vn DNS servers are not properly responding to CAA queries, which is required. However, you can work around this by creating your own CAA entry in your DNS that allows issuance from Let’s Encrypt. This will take precedence over the TLD CAA record, so it won’t even be checked.


#3

Yes, I understand that the ccTLD operator is to blame here. I’m just wondering whether I can get info about timeframe of how long the issue was around.


#4

@jared.m, @_az is a super-avid forum contributor and is no doubt aware of the background behind this particular situation. :slight_smile:


#5

Yup, I didn’t even read the username before responding. :laughing: Once I saw the response I realized my mistake.


#6

I’ll take a look at our logs, thanks for raising it.


#7

So far it looks like we started seeing these errors around 2018-03-15 0600 UTC and stopped around 2018-03-15 2000 UTC. Note that I haven’t had a chance to dig deeper and see if there were any successful vn requests before or after that window. If you need more detail I can grab it tomorrow.


#8

Looks like vn had various DNS issues today…

Unless I missed something, they didn’t have to be fatal – one DNS server was down, a couple had disabled DNSSEC – but perhaps Unbound gave up or cached something unfortunate.

And that doesn’t explain the issues from 14:30 - 20:00. (Maybe Let’s Encrypt hit different anycast servers with different issues?)


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.