DNS-01: NXDOMAIN due to querying wrong name server

We acquire certificates for hosts in our domain, gnwkservices.com, using DNS-01. The domain has two NS RRs. ns1.gnwkservices.com and ns2.gnwkservices.com, however in order to reduce the risk of accidentally breaking the main zone file we have configured individual _acme-challenge.foo.gnwkservices.com zones which are used to handle ACME challenges - and these zones only declare one NS, ns1.gnwkservices.com.

Overall name resolution seems to work fine, querying a challenge zone from the root level always correctly directs the client to ns1.gnwkservices.com. Unfortunately when it comes to DNS-01, once in a while we get something along the lines of

DNS problem: NXDOMAIN looking up TXT for _acme-challenge.comet.gnwkservices.com

instead, especially for hosts with many aliases. Having run a query trace on both ns1 and ns2, it would appear the problem is that ACME servers ignore the fact _acme-challenge domains are only provided by ns1 and attempt to distribute queries between ns1 and ns2.

A bug on the ACME-server side, perhaps?

At the moment, ns1.gnwkservices.com. knows there’s a _acme-challenge.comet.gnwkservices.com. zone, but ns2.gnwkservices.com. doesn’t.

If a resolver happens to query ns2 first, it just gets an NXDOMAIN from gnwkservices.com., not a referral to ns1.

$ dig +dnssec +norecurse _acme-challenge.comet.gnwkservices.com txt @ns2.gnwkservices.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec +norecurse _acme-challenge.comet.gnwkservices.com txt @ns2.gnwkservices.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57276
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.comet.gnwkservices.com.        IN TXT

;; AUTHORITY SECTION:
gnwkservices.com.       1800    IN      SOA     ns1.gnwkservices.com. root.ns1.gnwkservices.com. 2018032302 3600 1800 86400 7200

;; Query time: 153 msec
;; SERVER: 109.234.57.172#53(109.234.57.172)
;; WHEN: Tue Apr 24 09:25:00 UTC 2018
;; MSG SIZE  rcvd: 112

The gnwkservices.com. zone needs a delegating NS record at every zone cut. E.g.:

_acme-challenge.comet                   NS      ns1
_acme-challenge.foo                     NS      ns1

etc.

1 Like

http://dnsviz.net/d/_acme-challenge.comet.gnwkservices.com/dnssec/

There’s also a mismatch in the nameserver set that the registry knows about vs. what your nameservers know about, as well as a glue problem. These are not the cause for your current problem, but you might want to fix them anyway.

Generally, all nameservers that are the target of a delegation must serve the same zone contents. In your case, .com delegates gnwkservices.com to your two nameservers, so they must serve the same zone, including any further delegations. You’re free to delegate sublabels to a single nameserver, but that delegation must exist in all nameservers that are responsible for gnwkservices.com.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.