Good morning (well for me) @jsha & @LeonA , It was a mystery to me how I had 2 other sites with Netregistry and they had worked fine about 2 weeks ago and then this week my main domain would not! But I would say your guess “My guess is that something changed routing-wise, and this went from an “everyone” problem to a “sometimes” problem.” is spot on as my main domain vpscloud.biz and gone through fine this morning! Lets hope it will renew fine in the future!
I’ve now renewed 4. The mobile one (m.domainname.com.au) initially failed just now, but worked when I tried again. The other three worked straight up today.
I can also confirm that all of the domains that were failing DV renewal due to CAA check via UDP have successfully passed and their respective certs renewed.
Looks like we may not be completely out of the woods yet.
I have a new case that popped up today for domains hosted by ezyreg.com, another Netregistry reseller.
The same CAA via UDP timeout issue remains there.
Here’s the example…
This CAA check via UDP fails with timeout
dig CAA drumdigital.com.au. @ns-1.ezyreg.com. +notcp
; <<>> DiG 9.10.2 <<>> CAA drumdigital.com.au. @ns-1.ezyreg.com. +notcp
;; global options: +cmd
;; connection timed out; no servers could be reached
This CAA check via TCP works
dig CAA drumdigital.com.au. @ns-1.ezyreg.com. +tcp
; <<>> DiG 9.10.2 <<>> CAA drumdigital.com.au. @ns-1.ezyreg.com. +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33240
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
Revisiting this thread, I wanted to update the above statement, which I discovered is inaccurate. Unbound never falls back to TCP due to timeouts, only when it receives a truncated ANSWER. See this reply I got on the Unbound mailing list: Trust rules and DNSSEC signatures