DNS failing only for letsencrypt, but not others

My domain is: fettlz.com

I ran this command:

cpan Protocol::ACME module is being used and verified to work for other domains.

It produced this output:

“DNS problem: SERVFAIL looking up A for www.fettlz.com

We have tried requesting a cert for this domain for a few days now and have verified that the DNS is setup and working fine for this domain, yet from the letsencrypt side, the DNS appears to be failing.

Nameservers for this domain are ns1.mywahosting.com and ns2.mywahosting.com

dig @ns1.mywahosting.com fettlz.com
dig @ns2.mywahosting.com fettlz.com

shows no issues.

Hi @nichemarketing

you have A entries ( https://check-your-website.server-daten.de/?q=fettlz.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
fettlz.com A 54.197.229.239 yes 1 0
AAAA yes
www.fettlz.com A 54.197.229.239 yes 1 0
AAAA yes

But your DNSSEC is invalid. Critical invalid.

fettlz.com 1 DS RR in the parent zone found
1 RRSIG RR to validate DS RR found
Algorithm: 8, 2 Labels, original TTL: 86400 sec, Signature-expiration: 20.05.2019, 05:29:22, Signature-Inception: 13.05.2019, 04:19:22, KeyTag 3800, Signer-Name: com
• Status: Good - Algorithmus 8 and DNSKEY with KeyTag 3800 used to validate the DS RRSet in the parent zone
0 DNSKEY RR found
Fatal error: Parent zone has a signed DS RR (Algorithm 8, KeyTag 2716, DigestType 2, Digest XI8Tv3rf0x5rbtaiEHAIM3zHNBVYBMsIwLz/X7LC9nA=), but the destination DNSKEY doesn’t exist or doesn’t validate the DNSKEY RR set. No chain of trust created.

The parent zone (the com zone) has a DS RR, that says: ~~ “DNSSEC is configured”.

But there is no DNSKEY with the values of the parent DS, so your zone isn’t signed.

That’s a fatal error, so your ip addresses aren’t signed, so they are invalid.

So Letsencrypt can’t find a valid ip address.

Fix your DNSSEC or remove the DS in the parent zone. But fixing is better, DNSSEC is a great feature.

PS: Your nameservers are terrible:

X Fatal error: Nameserver isn’t defined or has timeout
X Fatal error: Nameserver doesn’t support TCP connection: ns1.mywahosting.com: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 107.21.5.109:53
X Fatal error: Nameserver doesn’t support TCP connection: ns1.mywahosting.com / 107.21.5.109: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 107.21.5.109:53
X Fatal error: Nameserver doesn’t support TCP connection: ns2.mywahosting.com: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 107.23.117.42:53
X Fatal error: Nameserver doesn’t support TCP connection: ns2.mywahosting.com / 107.23.117.42: Fatal error - no NameServer IP-Address or connection. Details: One or more errors occurred. - No connection could be made because the target machine actively refused it 107.23.117.42:53

Authoritative nameservers must support TCP-connections.

Looks like there is no DNSSEC validation.


PS: My internet provider (Deutsche Telekom) uses a validating Nameserver.

So I can’t visit your website: Site not found.

A wrong DNSSEC blocks users with validating nameservers, that’s good.

2 Likes

OK. I’m curious why you think it is necessary for my nameserver to listen on TCP.

Autsj, a whole lot of errors: http://dnsviz.net/d/www.fettlz.com/dnssec/

I’m pretty sure that if your DNS issues are fixed, getting a certificate will go without a hitch. This obviously is where DNSSEC is for. Let’s Encrypt, if implemented somewhere in the DNS query path, will enforce DNSSEC and with good reason. DNS poisoning/spoofing is a method to get a certificate illegitimate.

1 Like

It is now clear what happened. The owner of this domain recently changed nameservers and now the new nameservers do not have the DNSSEC keys setup. Thanks for your help.

In short, because it’s now required by the various RFCs that define the DNS protocol.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.