I have reassigned one subdomain of my main domain to my private server at home.
In the past i had an IPV4 IP address for this machine which A record was updated with a dyndns service from the hoster.
Now i moved to a new ISP at home and i am now having only an IPV6 addresss which is reachable from outside. (Dual-Stack). This ip address changes from time to time. I am using a dyndns service provider (dynv6.net) to get a “dyndns domain” because my hoster does not provide this service for IPV6.
To access my home server i am not using the “dyndns domain” from dynv6.net, i am using a subdomain of my “real domain”.
To reassign the subdomain to my home server i am using the “dyndns domain”:
My dynv6.net domain i linked to my subdomain with an CNAME entry at the DNS.
Past: A Record linked to a reachable IPV4
Now: CNAME record to a domain of dynv6.net (which is linked to my reachable IPV6 address)
certbot is giving me the error “SERVFAIL looking up CAA” when i want to renew or create a certificate for my regular subdomain.
If i create/renew certificated directly for my dynv6.net domain i have no problems.
Who should i contact to fix the DNS problem? The Hoster of my domain? Or is it a problem i did with the DNS config (CNAME)?
Without knowing the real hostname, we can only guess unfortunately, but it sounds like your “real” subdomain isn’t working properly.
It isn’t necessary to provide a CAA record. The only thing Let’s Encrypt requires when it queries for a CAA record is a proper response, even if this is a NXDOMAIN response. Unfortunately, a SERVFAIL isn’t acceptable. This could be due to DNSSEC, but as I said before: without knowing and testing the real hostname, it’s just guessing. You could test your subdomain yourself with: http://dnsviz.net and see if it gives any errors. Make sure you query for a CAA record too in the “Advanced” options!
Ok, i checked all record types in the advanced options, but i see no CAA.
I am not an DNS expert The report shows one error: http://dnsviz.net/d/abc.fmanet.de/dnssec/
Certainly this tells you something.
Thanks!
Well, the issue is the nameservers for fmanet.de, ns1.org-ns.com and ns2.org-ns.com. I don’t know who operates them, but that’s who you need to contact.
i don’t know how to test it with DNSViz, but you can use any other DNS client.
my hoster is operating the DNS.
I think they will not accept this as an issue of their DNS.
For the websites they are hosting they offer LetsEncrypt Certificates. And these certificates are renewed without problems.
Therefore they see it as an issue on my server.
As i have access to DNS configuration of my domain, can i just replace the NS records with a DNS providing a correct answer to the query, or is my idea nonsens?
If they think they can issue Let's Encrypt certificates for any domain using those nameservers they've got another think coming.
(Let's Encrypt did not always require valid responses to CAA queries. It may be possible that they have some cached authorizations that predate the requirement, or that Let's Encrypt maintains a whitelist of broken domains. I'm unsure of the exact details.)
You would have to completely switch to a different DNS provider. I don't know if your hosting company allows that. Some of them demand full DNS control (which, to be fair, makes their service easier to configure and use).
I have not yet got an answer from my hoster, but today i could run certbot without getting the error.
I also updated the certbot to 0.12.
So i am not sure what fixed the issue: The DNS Admin or certbot
Thanks for your help!
Probably the DNS, b/c the authorative DNS servers for abc.fmanet.de now reply with a CNAME to the CAA record and your dynDNS DNS server answers without an answer, but also without an error, which is fine.