Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: www.gov.co
I ran this command: is a Akamai certificate
we need status of request.
Hi @mresendiz
that's a known problem. The gov.co zone has a completely wrong SOA entry:
Domain:
www.gov.co
Primary:
acadcpr30.mcdmintic.local
Mail:
hostmaster.mcdmintic.local
Serial:
129
Refresh:
900
Retry:
600
Expire:
86400
TTL:
300
num Entries:
2
A domain with the suffix .local
can't be a public visible domain.
A name server with that suffix isn't visible.
--> It's a completely wrong configuration.
PS: There were older topics with the same problem -
The SOA
record shouldn’t be a problem. It’s weird, but regular DNS resolution doesn’t do anything with the SOA
MNAME
.
There’s also an NS
record for acadcpr30.mcdmintic.local
. That’s not good, but it shouldn’t cause significant problems.
However, that leaves the www.gov.co
zone with one real nameserver, 190.60.118.11
.
I think the problem is that that nameserver does not support TCP.
The NODATA response for www.gov.co
CAA
– i.e. “dig +dnssec +norecurse @190.60.118.11 www.gov.co caa
” – is 539 bytes.
Let’s Encrypt’s resolvers use a maximum size of 512 bytes, otherwise TCP must be used.
@mresendiz , you should fix TCP support on your nameserver and get Akamai to try again. (You should also get more nameservers!)
1 Like
rg305
November 27, 2019, 6:03pm
4
https://dnsviz.net/d/www.gov.co/dnssec/
shows an NS: acadcpr30.mcdmintic.local
That should probably NOT be shown on the public side.
rg305
November 27, 2019, 7:09pm
5
gov.co
has a CNAME
record pointing to www.gov.co
. It’s unusual but valid.
rg305
November 27, 2019, 8:34pm
7
Yes “I” saw that - but it seems that “others” don’t look as closely nor like what they see.
system
Closed
December 27, 2019, 8:34pm
8
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.