Custom DNS Server causing SERVFAIL during cert generation

Help
1

I am developing my DNS server, when generating certificates, the following DNS problem occurs: SERVFAIL looking up A for domain name - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for domain name - the domain's nameservers may be malfunctioning

the dns server processes the requests that are sent to generate the certificate

all required records for the domain exist and are available

Code for creating records:
soa_record = SOA(
mname="ns1",
rname="ns2",
times=(
2023010101, # Adding serial number
3600,
600,
86400,
3600
)
)

     ns_records = [NS("ns1"), NS("ns2)]

     records = {
         domain: [A(IP), AAAA((0,) * 16), soa_record] + ns_records,
         domain.www: [CNAME(domain)],
         domain.ns1: [A(IP)],
         domain.ns2: [A(IP)],
     }

     dns_records[domain] = [records] + [ns_records] + [soa_record]

What could be the problem?

2

It's going to be hard to diagnose without knowing the actual domain name. If you don't want to post it here, but are willing to share it with online Internet tools, you might want to try out DNSViz, the ISC EDNS Compliance Tool, and Unboundtest.

In general, building a proper standards-compliant DNS service is much more difficult than people expect. There are a lot of corner cases, and you need to present the expected result for both correct queries as well as errors. (And it gets even more complex if you want to implement DNSSEC, which you really should.)

7 Likes
3

This looks very similar to an issue we ran into a few weeks ago -- the solution was to update our nameserver implementation to be more in-spec.

https://community.letsencrypt.org/t/potential-networking-client-changes-on-dns-challenges/207967

1 Like
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.