I bought just a week ago two domain .top
One subscribed without problems, but the second doesn’t want to join ((At the same time, I bought these two domains at the same domain name registrar and use the same hosting provider. This one works without problems it-news.top, but this one aibolit.top does not which one
"Failed to verify the domain
Return code: 400
Details: DNS problem: looking up A for aibolit.top: DNSSEC: DNSKEY Missing; DNS problem: looking up AAAA for aibolit.top: DNSSEC: DNSKEY Missing"
This problem is ongoing, and appears to potentially be the .top TLD blocking validation traffic from Let's Encrypt. We are attempting to make contact with them, and trying other mitigating measures as well.
In the meantime, you may have to use another Certificate Authority.
In addition to the .top issue here; I would strongly suggest finding a DNS Name Server Provider who preforms much better than the presently being used Provider.
It would seem reasonable to me to disable DNSSEC validation for a couple of days till the issue is fixed. Because apparently it's not going to be resolved in the next few days and a lots of people have or will have in a very near future critical issues with their application soon. ( in my case I have 13 days left.. )
I don't think LE/Unbound (the latter is the DNS resolving library used) can easily disable DNSSEC for a single TLD. That would mean disabling DNSSEC for every DNS lookup.
In case of emergencies: there are other free ACME CAs which can be used. Buypass requires no non-ACME-account and is therefore quite easily to use. See the comparison overview posted by Bruce 2 days ago above.
Edit:
It seems Unbound has the domain-insecure: option to disable DNSSEC for specific domains and ChatGPT (which I don't trust at all though) says it could be used for TLDs..
So domain-insecure: "top." might work?
If it would be this easy, I assume LE might have considered it already.
This doesn't sound like discussing about DNSSEC here is going to help anyone. Based on my understanding of the situtation, the DNSSEC is fine for the top TLD. The issue appears to be that Let's Encrypts resolvers are blocked by top nameservers, only receiving a bogus response. The DNSSEC query just happens to be (one of) the first queries unbound hits the top nameserver with. Hence the DNSSEC failure is likely to be a symptom of the problem, not the cause. This also explains why every other resolver has zero issues with the DNSSEC for the top TLD.
You're right, my apologies. I read the last post from Matthew which suggested DNSSEC was part of the problem, but I agree the problem probably lies deeper than that.
I have a temporary solution, that is use the cloudflare DNS, the first you have a cloudflare account require, then change your domain DNS update to provider for cloudflare, at last use cloudflare provids ssl certificate
As was said earlier, you can try using another Certificate Authority. There are many are free that support the same ACME automation protocol that Let's Encrypt uses. (There's a comparison list that Posh-ACME has put together that may be helpful.)
I haven't really used it myself, but I think Buypass Go may be one of the easiest since it doesn't require setting up any external account. Just use --server https://api.buypass.com/acme/directory in your certbot command (for other clients, there's probably a similar option to set the ACME directory endpoint to use).
