DNS-based Authentication fails


#1

At first, I was just trying to get a cert for one of my subdomains running Server 2012 R2. I couldn’t get anything to play nice with IIS (I used win-simple and Certify to no avail) even though I could view the challenge in my browser. I was then informed that the DNS-based challenge has been implemented.

I am currently using https://github.com/Neilpang/le to create the request, as well as implement the TXT records. I have verified the TXT files exist in Cloudflare, as well as through dig:

[root@fedora ~]# dig @8.8.8.8 TXT _acme-challenge.rikairchy.net

; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> @8.8.8.8 TXT _acme-challenge.rikairchy.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40246
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_acme-challenge.rikairchy.net. IN      TXT

;; ANSWER SECTION:
_acme-challenge.rikairchy.net. 299 IN   TXT     "XB_dujLqddWxbzk9EeW3CLYx5zdf32AOKCFYBzwIvoM"

;; Query time: 42 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Mar 20 02:52:35 EDT 2016
;; MSG SIZE  rcvd: 114

But I still receive the following error:

rikairchy.net:Verify error:DNS problem: SERVFAIL looking up TXT for _acme-challenge.rikairchy.net

Any ideas why this may be?


#2

Turns out the issue was a result of a DNSSEC issue. I turned off DNSSEC with my registrar and unsigned the zones. I let a few hours pass to test propagation and I now have a certificate!