Cannot issue certificate: CAA lookups SRVFAIL

Domain in question: firc.de

At the moment it is impossible to issue any more certificates for my domain because CAA lookups SRVFAIL:
[Mon Oct 9 00:05:45 CEST 2017] firc.de:Verify error:DNS problem: SERVFAIL looking up CAA for firc.de

The domains primary NS is ns.inwx.de, which answers correctly:

$ dig +dnssec CAA firc.de. @ns.inwx.de
firc.de.                3600    IN      CAA     0 issue "letsencrypt.org"
firc.de.                3600    IN      CAA     0 iodef "mailto:hostmaster@firc.de"

The lookups fail on LetsEncrypt and 8.8.8.8, but work on 141.1.1.1.
The 8.8.8.8 aspect seems very strange, since +dnssec lookups for e.g. A or MX succeed.

DNSSEC on firc.de looks fine: http://dnsviz.net/d/firc.de/dnssec/
CAATest thinks it’s fine, too: https://caatest.co.uk/firc.de

I ran this unboundtest, but cannot make sense of the output:
https://unboundtest.com/m/CAA/firc.de/RTDM54UX

I already contacted my domain registrar who also runs the nameservers, they don’t have a clue.

It would be greatly appreciated if somebody here could shed light on this issue.
(My certificates will start expiring soon, I’m on yellow alert )

Hi @fireglow

I believe it could be something to do with IPV6.

Does your server listen to IPV6 addresses?

image.png974×614 15.6 KB

Andrei

This seems to be a DNSSEC issue. While DNSSEC seems to be configured correctly and a valid signature is provided for things like the A record, there seems to be an issue for the CAA record.

You can use DNSViz to check for CAA specifically, the results can be found here. It's reporting the following error:

firc.de/CAA: No RRSIG covering the RRset was returned in the response. (46.165.212.97, 95.211.1.145, 108.59.8.65, 176.97.158.104, 192.174.68.104, 2001:67c:1bc::104, 2001:67c:10b8::104, 2001:1af8:4400:a048:1::1, 2604:9a00:2010:a013:1::1, 2a00:c98:2100:a006:3::1, UDP_0_EDNS0_32768_4096)

Hi @fireglow,

You have not set RRSIG records covering CAA records:

$ dig +dnssec @ns.inwx.de firc.de caa +short
0 iodef "mailto:hostmaster@firc.de"
0 issue "letsencrypt.org"

But you have RRSIG records for A, AAAA, TXT, NS, SOA,… records:

$ dig +dnssec @ns.inwx.de firc.de a +short
62.210.152.91
A 8 2 3600 20171021193325 20171007193325 26320 firc.de. UhbqFg7apJ4afTPqpuulrWrANZ4vlvz9fW84+OClxwtK93zmeGbCQ8JC Zk3aWUaO0yiHwgAO1l0n7SZL+HXIKva8Em7sxnNpyGPizRRfA0kLILKu XRkEWcXLrziQhoL1z8JfRXkXBv3zuYnxu28J282+OSlt8CmpRBtCgXsD 3Co=

$ dig +dnssec @ns.inwx.de firc.de aaaa +short
2001:bc8:3353:100::1
AAAA 8 2 3600 20171021193325 20171007193325 26320 firc.de. J1CQf5mp6gUWqTSZ8GgtCisOcSmzONRxMZGoPhHmlFSPfkM9ugLuhMPx Q0P84u8BevHIQ+0RxktWxkkmaNn1eZaXIp5Z0vQe8HXBJYfjDet04dGs t73VcBE65rjSRBua2gHJMR0Hj4Faj4SPst74SgYp7R9oqbOsNpB2WTAg +XQ=

$ dig +dnssec @ns.inwx.de firc.de txt +short
TXT 8 2 3600 20171021193325 20171007193325 26320 firc.de. RcaW6WKi7K3RY8FNndJTQnecnvUAc5j6+tl8WhwAEgQlGLrm3Q1fQ8O9 hv78B/rphMjVIIche5JIfrQW/hJPLJ3LpF6i081pDoHyF2vy863Vdr4F /YHDpJlDqkr5KWkOLG/nmI/S4yRnnOqCVynsu1QhOsdqacFRN2p6nUkU c0w=
"v=spf1 +mx +ip4:212.129.1.203 +ip6:2001:bc8:3353:100::10/64 include:mailgun.org -all"
 
$ dig +dnssec @ns.inwx.de firc.de ns +short
ns3.inwx.eu.
ns2.inwx.de.
ns.inwx.de.
ns4.inwx.com.
NS 8 2 3600 20171021193325 20171007193325 26320 firc.de. gnMylL1Tn4NqGBmpWixu4E2HzVysv6Jz7Qf/OjwRqy4eo1KH6z1y0pFx 3lPy8YAvwYzo+ywh+djW69fFbMZBFlkZ6LIIlpLMTiQZKOAKFk8p1u3H 8pIw5ke9E6DQPXEPyjbtS9z8tYSa4ikBIKiTb4ru5kjnzM2OAXiQuAvl nK8=
ns5.inwx.net.

$ dig +dnssec @ns.inwx.de firc.de soa +short
SOA 8 2 3600 20171022221904 20171008221904 26320 firc.de. BuLRD8D/sTUQU5P2PiiGPvzGTd+wij3X++dh/7g4JKV2DW674k3Ebruy 86NzBNOg40+8ipk7ABiyFsT17O6GIMD2K1zBgnzYeVQ8rYYJl9P/nGqq 2RAvS9ZFzB9YP3C/StNDHH/o6DLhWBD6k24E4hwgphEYHIPX3HRnuBeJ uYc=
ns.inwx.de. hostmaster.firc.de. 2017011271 10800 300 604800 3600

So yes, you should talk to the company who is managing your name servers.

Edit: Sorry, I didn’t see @pfg already posted the same conclusion.

Cheers,
sahsanu

@pfg and @sahsanu: Thank you both so much!
I’m letting Knot handle DNSSEC automatically.
Will have to investigate why RRSIG records are not created for CAA.
Very many thanks to you again, I wouldn’t have found this in 1000 years.

Just a quick edit to vindicate Knot:
Knot creates RRSIGs correctly, it’s the upstream nameservers that do not seem to propagate it.

Same here, my bind manages dnssec, and i use inwx-servers as slaves. If I compare my zone with the zone-data visible in inwx-webinterface, the rrsig for caa is lost. I was in contact with inwx, but problem still is not resolved.

They do support caa and dnssec, bot not both at the same time.

They just told me the same thing.
What are alternatives? I’d like to keep my master-slave setup.
ClouDNS for 2 USD/month seems reasonable, but maybe there’s something better?

I decided to go without CAA records until inwx resolves this problem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.