DNS mystery in http-01 :)

My domain is: oportunidadesprofesionales.fomentosansebastian.eus

do you have any idea of what may be the problem with this DNS entry?

I thought maybe it was a lengthy one, but I have created a longer one in another domain and verification works as expected

I ran this command: certbot --nginx -d oportunidadesprofesionales.fomentosansebastian.eus

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for oportunidadesprofesionales.fomentosansebastian.eus
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. oportunidadesprofesionales.fomentosansebastian.eus (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for oportunidadesprofesionales.fomentosansebastian.eus - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for oportunidadesprofesionales.fomentosansebastian.eus - the domain's nameservers may be malfunctioning

My web server is (include version): Nginx 1.14.2

The operating system my web server runs on is (include version): Debian 10.12

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Does this happen every time?

https://unboundtest.com/m/A/oportunidadesprofesionales.fomentosansebastian.eus/LRDF5Y5E

1 Like

grazie @9peppe,

yes. it happens every time with this domain

I did not know about https://unboundtest.com/ thank you!

the problem seems be unbound "throwing away" the NS response:

info: response for oportunidadesprofesionales.fomentosansebastian.eus. A IN
info: reply from <fomentosansebastian.eus.> 185.192.223.10#53
info: query response was THROWAWAY

on the other hand, other recursive DNS clients, like dig +trace oportunidadesprofesionales.fomentosansebastian.eus, do not have any issues with it

1 Like

All four of your authoritative nameservers seems to be sending SERVFAIL errors when asked to resolve the primary domain name:

>dig oportunidadesprofesionales.fomentosansebastian.eus @185.192.223.10 +norecurse

; <<>> DiG 9.16.20 <<>> oportunidadesprofesionales.fomentosansebastian.eus @185.192.223.10 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52426
;; flags: qr ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;oportunidadesprofesionales.fomentosansebastian.eus. IN A

;; Query time: 12 msec
;; SERVER: 185.192.223.10#53(185.192.223.10)
;; WHEN: Fri May 13 08:51:30 Pacific Daylight Time 2022
;; MSG SIZE  rcvd: 79
3 Likes

@rmbolger No they don't, at least not for me:

osiris@erazer ~ $ dig oportunidadesprofesionales.fomentosansebastian.eus @185.192.223.10 +norecurse

; <<>> DiG 9.16.22 <<>> oportunidadesprofesionales.fomentosansebastian.eus @185.192.223.10 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15641
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;oportunidadesprofesionales.fomentosansebastian.eus. IN A

;; ANSWER SECTION:
oportunidadesprofesionales.fomentosansebastian.eus. 300	IN A 142.132.168.169

;; Query time: 103 msec
;; SERVER: 185.192.223.10#53(185.192.223.10)
;; WHEN: Fri May 13 18:57:58 CEST 2022
;; MSG SIZE  rcvd: 95

osiris@erazer ~ $ 
2 Likes

Weird. Some sort of DNS firewall in place? They're all very consistent for me.

2 Likes

Just to add another data point, it looks fine from where I am testing as well (which is a VM in AWS's us-east-1 region), at least right now.

So either the problem has been fixed, or the DNS server is sending different responses to different people.

3 Likes

A post was merged into an existing topic: Cloudflare dns cert issue

thanks for your help

DNS problem: SERVFAIL looking up A for oportunidadesprofesionales.fomentosansebastian.eus - the domain's nameservers may be malfunctioning persists

I have installed unbound and set it up per https://unboundtest.com/conf, and it resolves as expected from where I stand. so it is not unbound related, but a DNS server or network issue.

the weird thing is the "mail." zone in the same DNS servers has no issues with Let's Encypt DNS client. no problems with the test https://unboundtest.com/m/A/mail.fomentosansebastian.eus/SKUIYGLA either

I can confirm that at least from my vantagepoint, mail does resolve correctly against the individual dinahosting nameservers. But oportunidadesprofesionales continues to give SERVFAIL errors. So so weird.

They're both just plain A records in the zone, right? One's not a sub-zone or something? Can you post a screenshot of the DNS record view at the provider?

2 Likes

Can it be an FQDN length issue?
Not, per se, within DNS itself, but maybe within some IPS DNS protection...?

1 Like

it was indeed an issue with the length of the DNS name. we will just use a shorter one

still do not know what kind of IPS DNS is causing this length-related issue. it will remain a mystery, I guess :slight_smile:

thank you all for your support

2 Likes

I'm glad my crystal ball helped you figure this one out - LOL

2 Likes

I'm confused. If it was just a length issue, shouldn't resolution have been broken for everyone rather than only some?

2 Likes

Only those that exceeded the length limit.

Actual limit unknown at this time, but presumed less than:
oportunidadesprofesionales.fomentosansebastian.eus.
12345678901234567890123456789012345678901234567890 [50]

@rmbolger, what do you mean by "everyone" and "some"?
Everyone that uses those authoritative DNS servers should have been affected.

2 Likes

In case anyone is wondering if limiting DNS lengths is even possible... it is.
There does exist an IPS setting that can limit the overall packet length:


and it can be set to a very low number, which could interfere with requests on longer names.

2 Likes

@Osiris got successful results. And when I queried via digwebinterface.com it also got valid results (though now it seems to be getting SERVFAIL like I was).

2 Likes

I suppose it is possible that different DNS clients create different sized requests for the same FQDN.
OR
Their IPS protections are being applied differently per datacenter or some other GeoLocation difference.

Note: I'm halfway around the world from a black box system guessing at what it might be doing.

2 Likes

the domain owner has removed the long entry from ns*.dinahosting.com

the max FQDN length seems to be 43

https://unboundtest.com/m/A/a012345678901234567.fomentosansebastian.eus/5A2QHQQC
"query response was nodata ANSWER"
https://unboundtest.com/m/A/a0123456789012345678.fomentosansebastian.eus/64YS7W5B
"query response was THROWAWAY"

because at 44 ubounttest stops getting an answer

Their IPS protections are being applied differently per datacenter or some other GeoLocation difference.

yes

2 Likes