DNS-01 validation getting "Correct value not found for DNS challenge"

jsha · October 5, 2017, 4:18pm

Ah, this wasn't clear from your original message; I assumed ARSoft.Tools.Net was an established tool. I'm afraid Let's Encrypt staff aren't able to help you debug your DNS server, though you're welcome to keep talking it through with other forum members if you like. I will mention that I noticed different results at different times. For instance, sometimes dig will show me a single NS record, and sometimes dig will show me several:

$ dig TXT _acme-challenge.test-acme-dns-verification.suav.ec

; <<>> DiG 9.10.3-P4-Ubuntu <<>> TXT _acme-challenge.test-acme-dns-verification.suav.ec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17711
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.test-acme-dns-verification.suav.ec. IN TXT

;; ANSWER SECTION:
_acme-challenge.test-acme-dns-verification.suav.ec. 157 IN TXT "nSJOheM3ZP1F9UXtImAWjHdNKK5-Z9jc51bo1wpCzVA"

;; AUTHORITY SECTION:
suav.ec.                129453  IN      NS      suav.ec.
suav.ec.                129453  IN      NS      ns4.suav.ec.
suav.ec.                129453  IN      NS      ns2.suav.ec.
suav.ec.                129453  IN      NS      ns3.suav.ec.

;; ADDITIONAL SECTION:
suav.ec.                129453  IN      A       54.76.42.38
ns3.suav.ec.            129453  IN      A       54.76.42.38
ns2.suav.ec.            129453  IN      A       54.76.42.38
ns4.suav.ec.            129453  IN      A       54.76.42.38

;; Query time: 8 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Oct 05 09:16:01 PDT 2017
;; MSG SIZE  rcvd: 267

Also, intentionally misspelling a record returns a seemingly related SPF record, which seems like an indicator of brokenness.

$ dig TXT _acme-challenge.xxxtest-acme-dns-verification.suav.ec

; <<>> DiG 9.10.3-P4-Ubuntu <<>> TXT _acme-challenge.xxxtest-acme-dns-verification.suav.ec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28354
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.xxxtest-acme-dns-verification.suav.ec. IN TXT

;; ANSWER SECTION:
_acme-challenge.xxxtest-acme-dns-verification.suav.ec. 1800 IN TXT "v=spf1 a include:spf.efwd.registrar-servers.com ~all"

;; AUTHORITY SECTION:
suav.ec.                129382  IN      NS      ns4.suav.ec.
suav.ec.                129382  IN      NS      ns3.suav.ec.
suav.ec.                129382  IN      NS      ns2.suav.ec.
suav.ec.                129382  IN      NS      suav.ec.

;; ADDITIONAL SECTION:
suav.ec.                129382  IN      A       54.76.42.38
ns3.suav.ec.            129382  IN      A       54.76.42.38
ns2.suav.ec.            129382  IN      A       54.76.42.38
ns4.suav.ec.            129382  IN      A       54.76.42.38

;; Query time: 164 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Thu Oct 05 09:17:12 PDT 2017
;; MSG SIZE  rcvd: 279

Lastly, I'd recommend taking the config from https://unboundtest.com/ and running your own local Unbound server so you can easily test the behavior of your bespoke authoritative DNS server against a popular recursive resolver.