Hi @karlkowald
does the renew work? Or is this only a test problem?
The error is curious. My tool doesn't see an error ( https://check-your-website.server-daten.de/?q=as-motor.com ):
Instead:
• Algorithm: 13, 2 Labels, original TTL: 300 sec, Signature-expiration: 25.04.2019, 00:00:00, Signature-Inception: 04.04.2019, 00:00:00, KeyTag 30324, Signer-Name: as-motor.com
• Status: Good - Algorithmus 13 and DNSKEY with KeyTag 30324 used to validate the DNSKEY RRSet
• Status: Valid Chain of trust. Parent-DS with Algorithm 13, KeyTag 30324, DigestType 2 and Digest "p7PF9BXUsAki7YRwczw+LZq37kJ1+mR+pseE0hqQr/U=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone
RRSIG Type 1, expiration 2019-04-25 00:00:00 validates the A - Result: 138.201.164.163
RRSIG Type 16, expiration 2019-04-25 00:00:00 validates the TXT - Result: google-site-verification=G4svZHxOXP9VKwndUXm8MhesyDi0rhgj55HQakyKC-w
RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the CNAME RR
RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the AAAA RR
RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the TLSA RR
RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the CAA RR
But it's a 47 - answer (NSEC), not a 50 (NSEC3).
Unboundtest
https://unboundtest.com/m/CAA/as-motor.com/G5SHUUUE
doesn't see an error:
Response:
;; opcode: QUERY, status: NOERROR, id: 63031
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
And your www version has working DNSSEC results:
RRSIG Type 1, expiration 2019-04-25 00:00:00 validates the A - Result: 138.201.164.163
RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the CNAME RR
RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the TXT RR
RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the AAAA RR
RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the TLSA RR
RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the CAA RR
Perhaps add a CAA entry, if this is possible.