Certification Renewal not working: DNS problem: SERVFAIL looking up CAA


#1

I have reassigned one subdomain of my main domain to my private server at home.

In the past i had an IPV4 IP address for this machine which A record was updated with a dyndns service from the hoster.

Now i moved to a new ISP at home and i am now having only an IPV6 addresss which is reachable from outside. (Dual-Stack). This ip address changes from time to time. I am using a dyndns service provider (dynv6.net) to get a “dyndns domain” because my hoster does not provide this service for IPV6.

To access my home server i am not using the “dyndns domain” from dynv6.net, i am using a subdomain of my “real domain”.

To reassign the subdomain to my home server i am using the “dyndns domain”:
My dynv6.net domain i linked to my subdomain with an CNAME entry at the DNS.

Past: A Record linked to a reachable IPV4
Now: CNAME record to a domain of dynv6.net (which is linked to my reachable IPV6 address)

certbot is giving me the error “SERVFAIL looking up CAA” when i want to renew or create a certificate for my regular subdomain.
If i create/renew certificated directly for my dynv6.net domain i have no problems.

Who should i contact to fix the DNS problem? The Hoster of my domain? Or is it a problem i did with the DNS config (CNAME)?

Thanks for your advise!


#2

Without knowing the real hostname, we can only guess unfortunately, but it sounds like your “real” subdomain isn’t working properly.

It isn’t necessary to provide a CAA record. The only thing Let’s Encrypt requires when it queries for a CAA record is a proper response, even if this is a NXDOMAIN response. Unfortunately, a SERVFAIL isn’t acceptable. This could be due to DNSSEC, but as I said before: without knowing and testing the real hostname, it’s just guessing. You could test your subdomain yourself with: http://dnsviz.net and see if it gives any errors. Make sure you query for a CAA record too in the “Advanced” options!


#3

Thanks for the answer.
I will check the domain later today.
I did this yesterday, but without enabling CAA :slight_smile:

If there is an issue, i need to contact my hoster, correct?


#4

If DNSViz shows errors which are problematic for the resolving of the CAA-record, you should contact your DNS provider.


#5

Ok, i checked all record types in the advanced options, but i see no CAA.
I am not an DNS expert :slight_smile: The report shows one error:
http://dnsviz.net/d/abc.fmanet.de/dnssec/
Certainly this tells you something.
Thanks!


#6

Well, the issue is the nameservers for fmanet.de, ns1.org-ns.com and ns2.org-ns.com. I don’t know who operates them, but that’s who you need to contact.

i don’t know how to test it with DNSViz, but you can use any other DNS client.

$ digr abc.fmanet.de caa @ns1.org-ns.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse abc.fmanet.de caa @ns1.org-ns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56914
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;abc.fmanet.de.                 IN      CAA

;; Query time: 130 msec
;; SERVER: 212.144.99.185#53(212.144.99.185)
;; WHEN: Thu Mar 09 18:52:08 UTC 2017
;; MSG SIZE  rcvd: 31

$ digr abc.fmanet.de caa @ns2.org-ns.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse abc.fmanet.de caa @ns2.org-ns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48279
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;abc.fmanet.de.                 IN      CAA

;; Query time: 126 msec
;; SERVER: 92.79.61.10#53(92.79.61.10)
;; WHEN: Thu Mar 09 18:53:22 UTC 2017
;; MSG SIZE  rcvd: 31

$ digr fmanet.de caa @ns1.org-ns.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse fmanet.de caa @ns1.org-ns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2636
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;fmanet.de.                     IN      CAA

;; Query time: 124 msec
;; SERVER: 212.144.99.185#53(212.144.99.185)
;; WHEN: Thu Mar 09 18:52:02 UTC 2017
;; MSG SIZE  rcvd: 27

$ digr fmanet.de caa @ns2.org-ns.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse fmanet.de caa @ns2.org-ns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 65135
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;fmanet.de.                     IN      CAA

;; Query time: 128 msec
;; SERVER: 92.79.61.10#53(92.79.61.10)
;; WHEN: Thu Mar 09 18:55:34 UTC 2017
;; MSG SIZE  rcvd: 27

As Osiris said, you’re not required to have CAA records, but the nameserver has to give a valid response.


#7

Thanks guys!!
I will contact my hoster and open a ticket.


#8

my hoster is operating the DNS.
I think they will not accept this as an issue of their DNS.
For the websites they are hosting they offer LetsEncrypt Certificates. And these certificates are renewed without problems.
Therefore they see it as an issue on my server.

As i have access to DNS configuration of my domain, can i just replace the NS records with a DNS providing a correct answer to the query, or is my idea nonsens? :slight_smile:


#9

The issue is precisely the two DNS servers. Nothing more and nothing less.

It’s not specific to the fmanet.de zone.

Using their own domain, and some other domain i found via a search, as examples:

[Warning: I did not check if those domains host websites, or if any such websites are appropriate.]

$ digr org-ns.com caa @ns1.org-ns.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse org-ns.com caa @ns1.org-ns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55773
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;org-ns.com.                    IN      CAA

;; Query time: 129 msec
;; SERVER: 212.144.99.185#53(212.144.99.185)
;; WHEN: Fri Mar 10 08:52:17 UTC 2017
;; MSG SIZE  rcvd: 28

$ digr akaiku.com caa @ns2.org-ns.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse akaiku.com caa @ns2.org-ns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 39332
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;akaiku.com.                    IN      CAA

;; Query time: 128 msec
;; SERVER: 92.79.61.10#53(92.79.61.10)
;; WHEN: Fri Mar 10 08:54:01 UTC 2017
;; MSG SIZE  rcvd: 28

If they think they can issue Let’s Encrypt certificates for any domain using those nameservers they’ve got another think coming. :neutral_face:

(Let’s Encrypt did not always require valid responses to CAA queries. It may be possible that they have some cached authorizations that predate the requirement, or that Let’s Encrypt maintains a whitelist of broken domains. I’m unsure of the exact details.)

You would have to completely switch to a different DNS provider. I don’t know if your hosting company allows that. Some of them demand full DNS control (which, to be fair, makes their service easier to configure and use).


#10

I have not yet got an answer from my hoster, but today i could run certbot without getting the error.
I also updated the certbot to 0.12.
So i am not sure what fixed the issue: The DNS Admin or certbot :slight_smile:
Thanks for your help!


#11

Probably the DNS, b/c the authorative DNS servers for abc.fmanet.de now reply with a CNAME to the CAA record and your dynDNS DNS server answers without an answer, but also without an error, which is fine.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.