DNS problem: query timed out looking up TXT

9peppe · September 18, 2023, 12:51am

So it's a "register on the third level" situation, ok. Understood.

PaulStogov · September 18, 2023, 2:41am

Yeah, something like this. Both spb.ru and msk.ru having now troubles which are like two major regional subdomains. No offence to nsk.ru and ekb.ru! Will move to .xyz.

letsuser · September 18, 2023, 5:42am

Good point. Thanks!

Just checked - same issue

petercooperjr · September 18, 2023, 12:37pm

So here's an interesting data point: spb.ru and msk.ru are DNSSEC-signed, whereas nsk.ru and ekb.ru aren't. So the problem people are seeing seems to related to that, though it could just be that DNSSEC signatures make for larger packets and more chances for things to go wrong.

spbima · September 19, 2023, 7:48am

When I used manual mode certbot for renew certificate in .spb.ru zone

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: acu-docs.iac.spb.ru
  Type:   dns
  Detail: DNS problem: looking up CAA for spb.ru: DNSSEC: Bogus

pavelkim · September 19, 2023, 9:03am

Could you try to run dnssec-analyzer.verisignlabs.com against your domain name?
for mine it says All Queries to d.dns.ripn.net for spb.ru/DS timed out or failed on the spb.ru stage.

letsuser · September 19, 2023, 9:54am

I do not have dnssec set for my domain, though

spbima · September 19, 2023, 11:20am

Certificate renewal is working now.
I checked on acu-docs.iac.spb.ru.
The problem was related to protection against DDOS attacks.

LexBart · September 19, 2023, 11:41am

My domain names have also been renewed. It's great that the problem is gone.

wNRol · September 19, 2023, 1:26pm

Yes, things are good now.

letsuser · September 19, 2023, 1:36pm

confirm - renewal's now working! thanks all of you!

petercooperjr · September 19, 2023, 1:51pm

I'm still seeing the inconsistent case echoing from the .ru name server.

If so, I'm guessing that what was happening was that the logic in Unbound to deal with servers that don't always echo the case does in fact work for these servers, but when some queries got dropped by whatever this protection was, that it would try some other fallback and so that's what we'd see in the logs, when the real problem was just that the queries weren't being responded to.

I'm certainly glad that whatever the server configuration was that was blocking queries got sorted out for you, though.

pavelkim · September 19, 2023, 1:57pm

I can confirm on a successful renewal as well.
thanks everyone for cooperation and support.