So it's a "register on the third level" situation, ok. Understood.
Good point. Thanks!
Just checked - same issue
So here's an interesting data point:
msk.ru are DNSSEC-signed, whereas
ekb.ru aren't. So the problem people are seeing seems to related to that, though it could just be that DNSSEC signatures make for larger packets and more chances for things to go wrong.
When I used manual mode certbot for renew certificate in .spb.ru zone
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems: Domain: acu-docs.iac.spb.ru Type: dns Detail: DNS problem: looking up CAA for spb.ru: DNSSEC: Bogus
I do not have dnssec set for my domain, though
Certificate renewal is working now.
I checked on acu-docs.iac.spb.ru.
The problem was related to protection against DDOS attacks.
My domain names have also been renewed. It's great that the problem is gone.
Yes, things are good now.
confirm - renewal's now working! thanks all of you!
I'm still seeing the inconsistent case echoing from the
.ru name server.
If so, I'm guessing that what was happening was that the logic in Unbound to deal with servers that don't always echo the case does in fact work for these servers, but when some queries got dropped by whatever this protection was, that it would try some other fallback and so that's what we'd see in the logs, when the real problem was just that the queries weren't being responded to.
I'm certainly glad that whatever the server configuration was that was blocking queries got sorted out for you, though.
I can confirm on a successful renewal as well.
thanks everyone for cooperation and support.