DNS mystery in http-01 :)

descala · May 13, 2022, 11:31am

My domain is: oportunidadesprofesionales.fomentosansebastian.eus

do you have any idea of what may be the problem with this DNS entry?

I thought maybe it was a lengthy one, but I have created a longer one in another domain and verification works as expected

I ran this command: certbot --nginx -d oportunidadesprofesionales.fomentosansebastian.eus

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for oportunidadesprofesionales.fomentosansebastian.eus
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. oportunidadesprofesionales.fomentosansebastian.eus (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for oportunidadesprofesionales.fomentosansebastian.eus - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for oportunidadesprofesionales.fomentosansebastian.eus - the domain's nameservers may be malfunctioning

My web server is (include version): Nginx 1.14.2

The operating system my web server runs on is (include version): Debian 10.12

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

9peppe · May 13, 2022, 2:00pm

Does this happen every time?

https://unboundtest.com/m/A/oportunidadesprofesionales.fomentosansebastian.eus/LRDF5Y5E

descala · May 13, 2022, 2:35pm

grazie @9peppe,

yes. it happens every time with this domain

I did not know about https://unboundtest.com/ thank you!

the problem seems be unbound "throwing away" the NS response:

info: response for oportunidadesprofesionales.fomentosansebastian.eus. A IN
info: reply from <fomentosansebastian.eus.> 185.192.223.10#53
info: query response was THROWAWAY

on the other hand, other recursive DNS clients, like dig +trace oportunidadesprofesionales.fomentosansebastian.eus, do not have any issues with it

rmbolger · May 13, 2022, 3:54pm

All four of your authoritative nameservers seems to be sending SERVFAIL errors when asked to resolve the primary domain name:

>dig oportunidadesprofesionales.fomentosansebastian.eus @185.192.223.10 +norecurse

; <<>> DiG 9.16.20 <<>> oportunidadesprofesionales.fomentosansebastian.eus @185.192.223.10 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52426
;; flags: qr ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;oportunidadesprofesionales.fomentosansebastian.eus. IN A

;; Query time: 12 msec
;; SERVER: 185.192.223.10#53(185.192.223.10)
;; WHEN: Fri May 13 08:51:30 Pacific Daylight Time 2022
;; MSG SIZE  rcvd: 79

Osiris · May 13, 2022, 4:58pm

@rmbolger No they don't, at least not for me:

osiris@erazer ~ $ dig oportunidadesprofesionales.fomentosansebastian.eus @185.192.223.10 +norecurse

; <<>> DiG 9.16.22 <<>> oportunidadesprofesionales.fomentosansebastian.eus @185.192.223.10 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15641
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;oportunidadesprofesionales.fomentosansebastian.eus. IN A

;; ANSWER SECTION:
oportunidadesprofesionales.fomentosansebastian.eus. 300	IN A 142.132.168.169

;; Query time: 103 msec
;; SERVER: 185.192.223.10#53(185.192.223.10)
;; WHEN: Fri May 13 18:57:58 CEST 2022
;; MSG SIZE  rcvd: 95

osiris@erazer ~ $

rmbolger · May 13, 2022, 5:12pm

Weird. Some sort of DNS firewall in place? They're all very consistent for me.

petercooperjr · May 13, 2022, 5:52pm

Just to add another data point, it looks fine from where I am testing as well (which is a VM in AWS's us-east-1 region), at least right now.

So either the problem has been fixed, or the DNS server is sending different responses to different people.

rg305 · May 13, 2022, 9:13pm

A post was merged into an existing topic: Cloudflare dns cert issue

descala · May 14, 2022, 10:00am

thanks for your help

DNS problem: SERVFAIL looking up A for oportunidadesprofesionales.fomentosansebastian.eus - the domain's nameservers may be malfunctioning persists

I have installed unbound and set it up per https://unboundtest.com/conf, and it resolves as expected from where I stand. so it is not unbound related, but a DNS server or network issue.

the weird thing is the "mail." zone in the same DNS servers has no issues with Let's Encypt DNS client. no problems with the test https://unboundtest.com/m/A/mail.fomentosansebastian.eus/SKUIYGLA either

rmbolger · May 14, 2022, 3:01pm

I can confirm that at least from my vantagepoint, mail does resolve correctly against the individual dinahosting nameservers. But oportunidadesprofesionales continues to give SERVFAIL errors. So so weird.

They're both just plain A records in the zone, right? One's not a sub-zone or something? Can you post a screenshot of the DNS record view at the provider?

rg305 · May 14, 2022, 7:35pm

Can it be an FQDN length issue?
Not, per se, within DNS itself, but maybe within some IPS DNS protection...?

descala · May 17, 2022, 4:55pm

it was indeed an issue with the length of the DNS name. we will just use a shorter one

still do not know what kind of IPS DNS is causing this length-related issue. it will remain a mystery, I guess

thank you all for your support

rg305 · May 17, 2022, 5:41pm

I'm glad my crystal ball helped you figure this one out - LOL

rmbolger · May 18, 2022, 4:08am

I'm confused. If it was just a length issue, shouldn't resolution have been broken for everyone rather than only some?

rg305 · May 18, 2022, 4:27am

Only those that exceeded the length limit.

Actual limit unknown at this time, but presumed less than:
oportunidadesprofesionales.fomentosansebastian.eus.
12345678901234567890123456789012345678901234567890 [50]

@rmbolger, what do you mean by "everyone" and "some"?
Everyone that uses those authoritative DNS servers should have been affected.

rg305 · May 18, 2022, 4:37am

In case anyone is wondering if limiting DNS lengths is even possible... it is.
There does exist an IPS setting that can limit the overall packet length:

and it can be set to a very low number, which could interfere with requests on longer names.

rmbolger · May 18, 2022, 4:43am

@Osiris got successful results. And when I queried via digwebinterface.com it also got valid results (though now it seems to be getting SERVFAIL like I was).

rg305 · May 18, 2022, 9:43am

I suppose it is possible that different DNS clients create different sized requests for the same FQDN.
OR
Their IPS protections are being applied differently per datacenter or some other GeoLocation difference.

Note: I'm halfway around the world from a black box system guessing at what it might be doing.

descala · May 18, 2022, 11:05am

the domain owner has removed the long entry from ns*.dinahosting.com

the max FQDN length seems to be 43

https://unboundtest.com/m/A/a012345678901234567.fomentosansebastian.eus/5A2QHQQC
"query response was nodata ANSWER"
https://unboundtest.com/m/A/a0123456789012345678.fomentosansebastian.eus/64YS7W5B
"query response was THROWAWAY"

because at 44 ubounttest stops getting an answer

Their IPS protections are being applied differently per datacenter or some other GeoLocation difference.

yes

system · June 17, 2022, 11:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.