DNS problem: SERVFAIL looking up A for da3.chmurka.pl

dasp · April 26, 2016, 10:04pm

Similar to other problems reported with DNS resolver on Let’s Encrypt, I can’t figure out why A lookup fails for this domain.

I’ve tested from multiple geographical locations against the primary DNS (from SOA), which is ns1.chmurka.pl, and it never failed. It is strange to see SERVFAIL - it would imply that it is NOT a connection error (which could be temporary).

 - The following errors were reported by the server:

   Domain: da3.chmurka.pl
   Type:   connection
   Detail: DNS problem: SERVFAIL looking up A for da3.chmurka.pl

I proceeded to capture traffic to ns1.chmurka.pl relevant to this domain name. Here is the pcap file. All the queries are answered with NOERROR.
I have no idea where LE takes the SERVFAIL from.

sahsanu · April 26, 2016, 10:51pm

Hello @dasp,

I can see your dns servers return always a lowercase response. Let’s Encrypt uses unbound resolver to check your domain and this resolver uses randomly mixed-case queries (because it adds entropy to the query to avoid spoofing) so it expects your server to respond with the same case

I mean, right now a query to dA3.cHMurkA.pL returns this:

dig @ns1.chmurka.pl dA3.cHMurkA.pL

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @ns1.chmurka.pl dA3.cHMurkA.pL
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56910
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;da3.chmurka.pl.                        IN      A

;; ANSWER SECTION:
da3.chmurka.pl.         300     IN      A       198.27.127.55

;; AUTHORITY SECTION:
chmurka.pl.             300     IN      NS      ns1.chmurka.pl.
chmurka.pl.             300     IN      NS      ns2.chmurka.pl.

;; ADDITIONAL SECTION:
ns1.chmurka.pl.         300     IN      A       37.187.89.68
ns1.chmurka.pl.         300     IN      AAAA    2001:41d0:a:3144::
ns2.chmurka.pl.         300     IN      A       37.187.31.139
ns2.chmurka.pl.         300     IN      AAAA    2001:41d0:a:1f8b::

;; Query time: 5 msec
;; SERVER: 37.187.89.68#53(37.187.89.68)
;; WHEN: Wed Apr 27 00:45:39 CEST 2016
;; MSG SIZE  rcvd: 282

But it should respond like this (same case as query):

dig @ns1.chmurka.pl dA3.cHMurkA.pL

; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> @ns1.chmurka.pl dA3.cHMurkA.pL
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56910
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;dA3.cHMurkA.pL.                        IN      A

;; ANSWER SECTION:
dA3.cHMurkA.pL.         300     IN      A       198.27.127.55

;; AUTHORITY SECTION:
chmurka.pl.             300     IN      NS      ns1.chmurka.pl.
chmurka.pl.             300     IN      NS      ns2.chmurka.pl.

;; ADDITIONAL SECTION:
ns1.chmurka.pl.         300     IN      A       37.187.89.68
ns1.chmurka.pl.         300     IN      AAAA    2001:41d0:a:3144::
ns2.chmurka.pl.         300     IN      A       37.187.31.139
ns2.chmurka.pl.         300     IN      AAAA    2001:41d0:a:1f8b::

;; Query time: 5 msec
;; SERVER: 37.187.89.68#53(37.187.89.68)
;; WHEN: Wed Apr 27 00:45:39 CEST 2016
;; MSG SIZE  rcvd: 282

I hope this helps.

Cheers,
sahsanu

dasp · April 26, 2016, 10:55pm

Interesting, I’ve always assumed DNS is case-insensitive. That most likely will fix the problem but I’ll test before marking as solved. Thanks!

EDIT: So it seems it’s enough to return the “Question name” in the same case, the answer itself may be lowercase. All fixed now.

system · May 26, 2016, 10:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.