Cannot issue certificate: CAA lookups SRVFAIL

Domain in question: firc.de

At the moment it is impossible to issue any more certificates for my domain because CAA lookups SRVFAIL:
[Mon Oct 9 00:05:45 CEST 2017] firc.de:Verify error:DNS problem: SERVFAIL looking up CAA for firc.de

The domains primary NS is ns.inwx.de, which answers correctly:

$ dig +dnssec CAA firc.de. @ns.inwx.de
firc.de.                3600    IN      CAA     0 issue "letsencrypt.org"
firc.de.                3600    IN      CAA     0 iodef "mailto:hostmaster@firc.de"

The lookups fail on LetsEncrypt and 8.8.8.8, but work on 141.1.1.1.
The 8.8.8.8 aspect seems very strange, since +dnssec lookups for e.g. A or MX succeed.

DNSSEC on firc.de looks fine: http://dnsviz.net/d/firc.de/dnssec/
CAATest thinks it’s fine, too: https://caatest.co.uk/firc.de

I ran this unboundtest, but cannot make sense of the output:
https://unboundtest.com/m/CAA/firc.de/RTDM54UX

I already contacted my domain registrar who also runs the nameservers, they don’t have a clue.

It would be greatly appreciated if somebody here could shed light on this issue.
(My certificates will start expiring soon, I’m on yellow alert :wink:)

Hi @fireglow

I believe it could be something to do with IPV6.

Does your server listen to IPV6 addresses?

Andrei

This seems to be a DNSSEC issue. While DNSSEC seems to be configured correctly and a valid signature is provided for things like the A record, there seems to be an issue for the CAA record.

You can use DNSViz to check for CAA specifically, the results can be found here. It’s reporting the following error:

firc.de/CAA: No RRSIG covering the RRset was returned in the response. (46.165.212.97, 95.211.1.145, 108.59.8.65, 176.97.158.104, 192.174.68.104, 2001:67c:1bc::104, 2001:67c:10b8::104, 2001:1af8:4400:a048:1::1, 2604:9a00:2010:a013:1::1, 2a00:c98:2100:a006:3::1, UDP_0_EDNS0_32768_4096)

4 Likes

Hi @fireglow,

You have not set RRSIG records covering CAA records:

$ dig +dnssec @ns.inwx.de firc.de caa +short
0 iodef "mailto:hostmaster@firc.de"
0 issue "letsencrypt.org"

But you have RRSIG records for A, AAAA, TXT, NS, SOA,… records:

$ dig +dnssec @ns.inwx.de firc.de a +short
62.210.152.91
A 8 2 3600 20171021193325 20171007193325 26320 firc.de. UhbqFg7apJ4afTPqpuulrWrANZ4vlvz9fW84+OClxwtK93zmeGbCQ8JC Zk3aWUaO0yiHwgAO1l0n7SZL+HXIKva8Em7sxnNpyGPizRRfA0kLILKu XRkEWcXLrziQhoL1z8JfRXkXBv3zuYnxu28J282+OSlt8CmpRBtCgXsD 3Co=

$ dig +dnssec @ns.inwx.de firc.de aaaa +short
2001:bc8:3353:100::1
AAAA 8 2 3600 20171021193325 20171007193325 26320 firc.de. J1CQf5mp6gUWqTSZ8GgtCisOcSmzONRxMZGoPhHmlFSPfkM9ugLuhMPx Q0P84u8BevHIQ+0RxktWxkkmaNn1eZaXIp5Z0vQe8HXBJYfjDet04dGs t73VcBE65rjSRBua2gHJMR0Hj4Faj4SPst74SgYp7R9oqbOsNpB2WTAg +XQ=

$ dig +dnssec @ns.inwx.de firc.de txt +short
TXT 8 2 3600 20171021193325 20171007193325 26320 firc.de. RcaW6WKi7K3RY8FNndJTQnecnvUAc5j6+tl8WhwAEgQlGLrm3Q1fQ8O9 hv78B/rphMjVIIche5JIfrQW/hJPLJ3LpF6i081pDoHyF2vy863Vdr4F /YHDpJlDqkr5KWkOLG/nmI/S4yRnnOqCVynsu1QhOsdqacFRN2p6nUkU c0w=
"v=spf1 +mx +ip4:212.129.1.203 +ip6:2001:bc8:3353:100::10/64 include:mailgun.org -all"
 
$ dig +dnssec @ns.inwx.de firc.de ns +short
ns3.inwx.eu.
ns2.inwx.de.
ns.inwx.de.
ns4.inwx.com.
NS 8 2 3600 20171021193325 20171007193325 26320 firc.de. gnMylL1Tn4NqGBmpWixu4E2HzVysv6Jz7Qf/OjwRqy4eo1KH6z1y0pFx 3lPy8YAvwYzo+ywh+djW69fFbMZBFlkZ6LIIlpLMTiQZKOAKFk8p1u3H 8pIw5ke9E6DQPXEPyjbtS9z8tYSa4ikBIKiTb4ru5kjnzM2OAXiQuAvl nK8=
ns5.inwx.net.

$ dig +dnssec @ns.inwx.de firc.de soa +short
SOA 8 2 3600 20171022221904 20171008221904 26320 firc.de. BuLRD8D/sTUQU5P2PiiGPvzGTd+wij3X++dh/7g4JKV2DW674k3Ebruy 86NzBNOg40+8ipk7ABiyFsT17O6GIMD2K1zBgnzYeVQ8rYYJl9P/nGqq 2RAvS9ZFzB9YP3C/StNDHH/o6DLhWBD6k24E4hwgphEYHIPX3HRnuBeJ uYc=
ns.inwx.de. hostmaster.firc.de. 2017011271 10800 300 604800 3600

So yes, you should talk to the company who is managing your name servers.

Edit: Sorry, I didn’t see @pfg already posted the same conclusion.

Cheers,
sahsanu

3 Likes

@pfg and @sahsanu: Thank you both so much!
I’m letting Knot handle DNSSEC automatically.
Will have to investigate why RRSIG records are not created for CAA.
Very many thanks to you again, I wouldn’t have found this in 1000 years.

Just a quick edit to vindicate Knot:
Knot creates RRSIGs correctly, it’s the upstream nameservers that do not seem to propagate it.

2 Likes

Same here, my bind manages dnssec, and i use inwx-servers as slaves. If I compare my zone with the zone-data visible in inwx-webinterface, the rrsig for caa is lost. I was in contact with inwx, but problem still is not resolved.

They do support caa and dnssec, bot not both at the same time.

1 Like

They just told me the same thing.
What are alternatives? I’d like to keep my master-slave setup.
ClouDNS for 2 USD/month seems reasonable, but maybe there’s something better?

I decided to go without CAA records until inwx resolves this problem.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.