DNS problem: SERVFAIL looking up A for 0x7175616e.com


#1
; <<>> DiG 9.10.3-P4-Debian <<>> @208.67.222.222 0x7175616e.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64533
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;0x7175616e.com.			IN	A

;; ANSWER SECTION:
0x7175616e.com.		3600	IN	A	210.140.71.223

;; Query time: 226 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Feb 10 15:35:41 JST 2017
;; MSG SIZE  rcvd: 59

Please fill out the fields below so we can help you better.

My domain is:
0x7175616e.com

I ran this command:
certbot certonly --standalone --test-cert -d 0x7175616e.com

It produced this output:
Failed authorization procedure. 0x7175616e.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for 0x7175616e.com

My operating system is (include version):
Linux idcf-[–snipped–]didcfcloud.internal 4.9.0-1-amd64 #1 SMP Debian 4.9.6-3 (2017-01-28) x86_64 GNU/Linux

My web server is (include version):
N/A

My hosting provider, if applicable, is:
IDCF.jp

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
yes.


#2

OpenDNS (208.67.222.222) does not validate DNSSEC. Let’s Encrypt’s resolvers do. The zone has DNSSEC issues that will need to be fixed:

http://dnsviz.net/d/0x7175616e.com/dnssec/
http://dnssec-debugger.verisignlabs.com/0x7175616e.com

Edit: Last i heard, Google Cloud DNS had DNSSEC support in alpha:

https://groups.google.com/d/msg/cloud-dns-announce/c7MD0CslHaM/5xf6RXLdCQAJ


#3

Thanks for the feed! I have reached out Google Cloud DNS support later that day, they weren’t able to do anything. Looks like this is a good chance!


#4

You and Google are the only people who can fix it. It’s your account and their systems. If you want to zap the DS record and disable DNSSEC, there ought to be a button for it.

I Googled it and found some documentation about adding DS records at Google Domains. Removing them should be similar.

https://support.google.com/domains/answer/3290309?hl=en


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.