DNS problem: query timed out looking up CAA for www.gov.co

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.gov.co

I ran this command: is a Akamai certificate

we need status of request.

Hi @mresendiz

that's a known problem. The gov.co zone has a completely wrong SOA entry:

Domain: www.gov.co
Primary: acadcpr30.mcdmintic.local
Mail: hostmaster.mcdmintic.local
Serial: 129
Refresh: 900
Retry: 600
Expire: 86400
TTL: 300
num Entries: 2

A domain with the suffix .local can't be a public visible domain.

A name server with that suffix isn't visible.

--> It's a completely wrong configuration.

PS: There were older topics with the same problem -

The SOA record shouldn’t be a problem. It’s weird, but regular DNS resolution doesn’t do anything with the SOA MNAME.

There’s also an NS record for acadcpr30.mcdmintic.local. That’s not good, but it shouldn’t cause significant problems.

However, that leaves the www.gov.co zone with one real nameserver, 190.60.118.11.

I think the problem is that that nameserver does not support TCP.

The NODATA response for www.gov.co CAA – i.e. “dig +dnssec +norecurse @190.60.118.11 www.gov.co caa” – is 539 bytes.

Let’s Encrypt’s resolvers use a maximum size of 512 bytes, otherwise TCP must be used.

@mresendiz, you should fix TCP support on your nameserver and get Akamai to try again. (You should also get more nameservers!)

1 Like

https://dnsviz.net/d/www.gov.co/dnssec/
shows an NS: acadcpr30.mcdmintic.local
That should probably NOT be shown on the public side.


is even worse:

gov.co has a CNAME record pointing to www.gov.co. It’s unusual but valid.

Yes “I” saw that - but it seems that “others” don’t look as closely nor like what they see.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.