CAA SERVFAIL (But not every time at Google DNS)

#1

https://crt.sh/?q=www.as-motor.com

My domain is: www.as-motor.com

I ran this command: https://letsdebug.net/www.as-motor.com/33478

It produced this output at cert renewing: DNS problem: SERVFAIL looking up CAA for www.as-motor.com

When I use dig local, i always get a status: NOERROR… when I Dig to google, i often get the status NOERROR, but sometimes it returns SERVFAIL - i have no idea why that happens sometimes…

dig +dnssec www.as-motor.com caa @publicdns.goog

We renewed the certificate many times before, but since now it has problems, but nothing changed at dns settings at our client.

Any ideas what we can tell them they have to change?

#2

Hi @karlkowald

does the renew work? Or is this only a test problem?

The error is curious. My tool doesn’t see an error ( https://check-your-website.server-daten.de/?q=as-motor.com ):

Instead:

• Algorithm: 13, 2 Labels, original TTL: 300 sec, Signature-expiration: 25.04.2019, 00:00:00, Signature-Inception: 04.04.2019, 00:00:00, KeyTag 30324, Signer-Name: as-motor.com

• Status: Good - Algorithmus 13 and DNSKEY with KeyTag 30324 used to validate the DNSKEY RRSet

• Status: Valid Chain of trust. Parent-DS with Algorithm 13, KeyTag 30324, DigestType 2 and Digest “p7PF9BXUsAki7YRwczw+LZq37kJ1+mR+pseE0hqQr/U=” validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone

RRSIG Type 1, expiration 2019-04-25 00:00:00 validates the A - Result: 138.201.164.163

RRSIG Type 16, expiration 2019-04-25 00:00:00 validates the TXT - Result: google-site-verification=G4svZHxOXP9VKwndUXm8MhesyDi0rhgj55HQakyKC-w

RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the CNAME RR

RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the AAAA RR

RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the TLSA RR

RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the CAA RR

But it’s a 47 - answer (NSEC), not a 50 (NSEC3).

Unboundtest

https://unboundtest.com/m/CAA/as-motor.com/G5SHUUUE

doesn’t see an error:

Response:
;; opcode: QUERY, status: NOERROR, id: 63031
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

And your www version has working DNSSEC results:

RRSIG Type 1, expiration 2019-04-25 00:00:00 validates the A - Result: 138.201.164.163

RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the CNAME RR

RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the TXT RR

RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the AAAA RR

RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the TLSA RR

RRSIG Type 47, expiration 2019-04-25 00:00:00 validates the NSEC RR that proves the not-existence of the CAA RR

Perhaps add a CAA entry, if this is possible.

#3

You have the issue from this thread:

#4

@JuergenAuer: no, renew breaks because of that error.

@mnordhoff: does this mean there is an dnssec information that says there should not be a www.as-motor.com, but there is it? - and if - why only sometimes the GoogleDNS-Services returns a SERVFAIL and not everytime?

#5

Yes.

Probably just because, if you don’t look up any names that don’t exist, the resolver won’t know that the “does not exist” records are wrong.

#6

ok, i will take a look in that… thanks…

but i just make this call i.e. 10 times…
dig +dnssec www.as-motor.com caa @publicdns.goog

then it returns 8 times NOERROR and 2 times SERVFAIL - and thats a crazy behavior i only know from setups, where nameserver answering with different answers but not, when all nameservers are sending the same answer. :slight_smile:

closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.