DNS problem: looking up A for xxx.domain.top: DNSSEC: DNSKEY Missing; no valid AAAA records found for xxx.domain.top

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.domain.top

I ran this command:
docker run -it --rm -v /etc/letsencrypt/master:/etc/letsencrypt -v /etc/letsencrypt/lib:/var/lib/letsencrypt -v /etc/letsencrypt/log:/var/log/letsencrypt -v /tmp:/data/letsencrypt certbot/certbot certonly --webroot --agree-tos --webroot-path=/data/letsencrypt -m xxx@xxxx.com -d www.domain.top

It produced this output:

DNS problem: looking up A for www.domain.top: DNSSEC: DNSKEY Missing; DNS problem: server failure at resolver looking up AAAA for www.domain.top

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
centos8

My hosting provider, if applicable, is:
gname

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):latest

well you should talk with domain register to remove bogus DS record on TLD zone. you don't tell what your domain from so not much to talk about

The domain name registrar has specified the gname service provider
In addition, I tested the .TOP domain name and this problem occurred.

anyway you need to contact them to remove it: only they can request to do so

I use NameSlio, LLC and Alibaba Cloud and have the same result.

域名注册服务商客服：
您好，这里查看到您的域名状态是正常的，域名亦未设置上述的dnssec，这里查看域名的解析也是已生效的，建议您联系下相关ssl证书方以查询相关问题。

Domain name registrar customer service:
Hello, the status of your domain name shown here is normal. The domain name has not been set up with the above dnssec. The resolution of the domain name shown here is also effective. It is recommended that you contact the relevant SSL certificate party to inquire about related issues.

I encountered the same situation

I encountered the same problem too

Hi,

Has anyone managed to find a workaround with this case?

I am still unsure what the issue is, they appear to have 2 DS records and 2 DNSKEY records, compared to 1 DS record and 2 DNSKEY records for .com.

EDIT: Interestingly, .xyz has a similar configuration and the request is successful there.

Me too. It seems that many people who using the TOP domain name have encountered the same problem recently. My domain name application certificate was normal before, but the same error occurred when I applied for update today. I didn't change any settings in domain registrar and DNS resolution.I ues namesilo for domain register and cloudflare for DNS.

I noticed there is a news on nic.top, I don't know if this is the reason

According to the "Policy and Practice Statement" for the international top-level domain ".top," the new round of .top domain KSK keys will enter the rollover cycle on March 1, 2024. The old KSK key (Keytag: 56384) will be officially deprecated on March 31, 2024, Beijing time.

If the recursive server (or some browsers) you manage has enabled DNSSEC validation and uses the .top domain as a trust anchor (using the trusted-keys directive), please remove the .top domain trust anchor configuration from the recursive server before March 31, 2024, Beijing time. Set the new KSK key as the trust anchor and re-enable it after the old KSK key-related records have expired in the cache to maintain the continuity of the recursive server service.

image1294×421 87.1 KB

Perhaps this tool might help get to the root(s) of the problem?

https://dnsviz.net/d/www.hhuxs.top/dnssec/

This website did not report any error. I repeated the issue on my own .top domain (us1.expli.top) (with dnssec correctly configured and successfully request a certificate from zerossl a few minutes ago). May be there are something wrong with the DNS server LetsEncrypt use?

We've heard several people are having trouble with the .top TLD, and will begin an investigation.

We haven't identified a root cause yet. Follow along at Let's Encrypt Status for updates.

I encountered the same issue.

I have tried adding CAA records. That didn't work. The .com works fine.

same problem here, while trying use certbot to sign a cert, and also xxx.domain.top;

I am having the same problem too. I have 90 .top domains here which fail to get SSL cert and I am unable to get it due to this error. The error message is the same like in the original post. I cannot post any domain name here since those are domains for adult audience only.

The issue was acknowledged by LE staff. While I can sympathize with the frustration, posting “me too” without providing additional details that haven't been provided before—won't get this fixed faster. It's just annoying for anyone who keeps track of this topic.

If one wants to get notified about the progress—there's a handy button with a bell at the bottom of the topic.

We are still investigating. The problem does appear to be with the .top nameservers, and we are attempting to contact the .top operators for more information.

The DNSKEY error may be a slight red-herring, which we are also still investigating.

Unfortunately we don't have good news at this time. For users with a .top domain, you may want to consider trying another Certificate Authority in the meantime.