CAA SERVFAIL with tls-sni-01 for specific subdomain

Hi,

I’m having some trouble passing a challenge for ownership of a specific (sub)domain name.

My domain is:
widenet.politicalmashup.nl

I ran this command:
sudo certbot --nginx

It produced this output:

       Type:   connection
       Detail: DNS problem: SERVFAIL looking up CAA for
       widenet.politicalmashup.nl

My web server is (include version):
nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04 server

What I find strange is that I cannot reproduce the CAA Servfail using any of the domain’s DNS servers. For instance:

$ dig widenet.politicalmashup.nl caa @ns5.firstfind.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> widenet.politicalmashup.nl caa @ns5.firstfind.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54186
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;widenet.politicalmashup.nl.    IN      CAA

;; AUTHORITY SECTION:
politicalmashup.nl.     3600    IN      SOA     ns3.firstfind.nl. hostmaster.firstfind.nl. 2017080101 16384 2048 1048576 14400

;; Query time: 4 msec
;; SERVER: 213.136.15.188#53(213.136.15.188)
;; WHEN: Wed Aug 02 19:25:22 CEST 2017
;; MSG SIZE  rcvd: 116

But using Google’s DNS (the default on this server), the CAA query does respond with Servfail:

$ dig widenet.politicalmashup.nl caa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> widenet.politicalmashup.nl caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19670
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;widenet.politicalmashup.nl.    IN      CAA

;; Query time: 22 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Aug 02 19:25:32 CEST 2017
;; MSG SIZE  rcvd: 55

It could be my misunderstanding, but I was under the impression that the DNS servers associated with the domain name would be used for the ownership challenge.
What should I do to obtain a certificate for this subdomain?

Thanks,
Alex

Let’s ask @jsha to help because he’s just successfully diagnosed so many other CAA SERVFAIL issues!

Thanks @schoen, any help would be much appreciated!

I just saw a related thread: SERVFAIL looking up CAA, but I see NOERROR myself

Unfortunately, it seems to be unresolved and I’m not sure if I fully understand the mentioned diagnostics.

It does seem to be a similar – or the same – issue.

Aug  2 18:00:48 jane unbound: [3554:0] debug: Validating a nodata response
Aug  2 18:00:48 jane unbound: [3554:0] debug: nsec3: keysize 1024 bits, max iterations 150
Aug  2 18:00:48 jane unbound: [3554:0] debug: nsec3 proveClosestEncloser: could not find a candidate for the closest encloser.
Aug  2 18:00:48 jane unbound: [3554:0] debug: proveNodata: did not match qname, nor found a proven closest encloser.
Aug  2 18:00:48 jane unbound: [3554:0] debug: NODATA response failed to prove NODATA status with NSEC/NSEC3
Aug  2 18:00:48 jane unbound: [3554:0] info: Failed NODATA ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0#012;; flags: qr ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0 #012;; QUESTION SECTION:#012Widenet.Politicalmashup.Nl.#011IN#011CAA#012#012;; ANSWER SECTION:#012#012;; AUTHORITY SECTION:#012Politicalmashup.Nl.#0113599#011IN#011SOA#011ns3.firstfind.Nl. hostmaster.firstfind.Nl. 2017080101 16384 2048 1048576 14400#012Politicalmashup.Nl.#0113599#011IN#011RRSIG#011SOA 8 2 3600 20170810000000 20170720000000 30999 politicalmashup.nl. PnPuPIdkm8MkLJKfvMjx0LjjKWcULjHNC4AclRuCT9l5gTW1NGdR0HXrKammM72bReRN6ip/JNGqMDyepqCISfQD+TvcZ2tFn4tvN9KQsVBaHxCf+wiXCFPVuc2fzPXBES5AO74TPz+wo2oiJS93nBnkClwwnYMOD0YE3TF39mM= ;{id = 30999}#0125i5u06l6d8mg3tq3ujp0ju5bp3vjpbmo.Politicalmashup.Nl.#01114399#011IN#011NSEC3#0111 0 1 AB 6pdadfop7rm5vah477frmvduep4nmjsb CNAME RRSIG#0125i5u06l6d8mg3tq3ujp0ju5bp3vjpbmo.Politicalmashup.Nl.#01114399#011IN#011RRSIG#011NSEC3 8 3 14400 20170810000000 20170720000000 30999 politicalmashup.nl. IbhJ2cQPeRs/6//8mijik8BaJoY+cTwmidEo2NtxeMb5dEDpdaHDEUWGmIJNSmUGGtSE1mRx7S6+ggeefK+p6wx+sFepLy2Kik+FBio89waLPxJX9YO1mq7IhB84ydRG+YIR25fobjqJtoIn7nx44WdIvAJbnpYQMDBsuOnzK0E= ;{id = 30999}#012#012;; ADDITIONAL SECTION:#012;; MSG SIZE  rcvd: 541
Aug  2 18:00:48 jane unbound: [3554:0] info: validate(nodata): sec_status_bogus

I’m not enough of a DNSSEC expert to figure exactly what is wrong with its negative responses, though.

Check https://letsencrypt.org/docs/caa/. To me this looks like it’s the same problem with PowerDNS where DNSSEC signatures across empty responses with mixed capitalization are bogus. If your provider is using PowerDNS, you should ask them to upgrade. If not, please let us know what software it is so we can help get it fixed.

Note that I haven’t spelunked in the records myself, but based on the comments here it seems to have the exact same symptoms.

This domain’s nameservers, and those from another recent thread, all return an honest-to-God SERVFAIL in response to version.bind txt ch queries. Is PowerDNS known to do that?

I’ve asked the domain provider what they are using. Not sure I can count on a quick reply though.

If PowerDNS directive version-string is configured as anonymous, yes, it returns SERVFAIL.

Cheers,
sahsanu

2 Likes

Interesting! Thanks. I'm surprised it's not REFUSED or something, but that is some evidence those servers are PowerDNS.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.