My domain is: oportunidadesprofesionales.fomentosansebastian.eus
do you have any idea of what may be the problem with this DNS entry?
I thought maybe it was a lengthy one, but I have created a longer one in another domain and verification works as expected
I ran this command: certbot --nginx -d oportunidadesprofesionales.fomentosansebastian.eus
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for oportunidadesprofesionales.fomentosansebastian.eus
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. oportunidadesprofesionales.fomentosansebastian.eus (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for oportunidadesprofesionales.fomentosansebastian.eus - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for oportunidadesprofesionales.fomentosansebastian.eus - the domain's nameservers may be malfunctioning
My web server is (include version): Nginx 1.14.2
The operating system my web server runs on is (include version): Debian 10.12
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0
the problem seems be unbound "throwing away" the NS response:
info: response for oportunidadesprofesionales.fomentosansebastian.eus. A IN
info: reply from <fomentosansebastian.eus.> 185.192.223.10#53
info: query response was THROWAWAY
on the other hand, other recursive DNS clients, like dig +trace oportunidadesprofesionales.fomentosansebastian.eus, do not have any issues with it
DNS problem: SERVFAIL looking up A for oportunidadesprofesionales.fomentosansebastian.eus - the domain's nameservers may be malfunctioning persists
I have installed unbound and set it up per https://unboundtest.com/conf, and it resolves as expected from where I stand. so it is not unbound related, but a DNS server or network issue.
I can confirm that at least from my vantagepoint, mail does resolve correctly against the individual dinahosting nameservers. But oportunidadesprofesionales continues to give SERVFAIL errors. So so weird.
They're both just plain A records in the zone, right? One's not a sub-zone or something? Can you post a screenshot of the DNS record view at the provider?
Actual limit unknown at this time, but presumed less than: oportunidadesprofesionales.fomentosansebastian.eus. 12345678901234567890123456789012345678901234567890 [50]
@rmbolger, what do you mean by "everyone" and "some"?
Everyone that uses those authoritative DNS servers should have been affected.
In case anyone is wondering if limiting DNS lengths is even possible... it is.
There does exist an IPS setting that can limit the overall packet length:
@Osiris got successful results. And when I queried via digwebinterface.com it also got valid results (though now it seems to be getting SERVFAIL like I was).
I suppose it is possible that different DNS clients create different sized requests for the same FQDN.
OR
Their IPS protections are being applied differently per datacenter or some other GeoLocation difference.
Note: I'm halfway around the world from a black box system guessing at what it might be doing.