DNS problem: SERVFAIL looking up A for www.rnelnet.com DNSSEC issue?

So I’ve been having problems renewing my letsencrypt certs for awhile. I’ve read the forum and it seems like it could be a DNSSEC + certbot issue however I’m not able to determine what. When I check out my DNSSEC settings on erisignlabs.com/www.rnelnet.com everything is green.

Can someone help out?

Info filled below

My domain is: rnelnet.com

I ran this command: letsencrypt renew -a standalone

It produced this output:

My web server is (include version): apache - I stop the service first

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: Ovh

I can login to a root shell on my machine (yes or no, or I don’t know):yup

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Here is the full output:
–snip cmd line–
[root@ca renewal]# letsencrypt renew -a standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.rnelnet.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rnelnet.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for rnelnet.com
http-01 challenge for www.rnelnet.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (rnelnet.com) from /etc/letsencrypt/renewal/rnelnet.com.conf produced an unexpected error: Failed authorization procedure. www.rnelnet.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: SERVFAIL looking up A for www.rnelnet.com, rnelnet.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: SERVFAIL looking up A for rnelnet.com. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.rnelnet.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.rnelnet.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (www.rnelnet.com) from /etc/letsencrypt/renewal/www.rnelnet.com.conf produced an unexpected error: Failed authorization procedure. www.rnelnet.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: SERVFAIL looking up A for www.rnelnet.com. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/rnelnet.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.rnelnet.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/mail.rnelnet.com/fullchain.pem expires on 2019-10-28 (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/rnelnet.com/fullchain.pem (failure)
  /etc/letsencrypt/live/www.rnelnet.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.rnelnet.com
   Type:   connection
   Detail: dns :: DNS problem: SERVFAIL looking up A for
   www.rnelnet.com

   Domain: rnelnet.com
   Type:   connection
   Detail: dns :: DNS problem: SERVFAIL looking up A for rnelnet.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: www.rnelnet.com
   Type:   connection
   Detail: dns :: DNS problem: SERVFAIL looking up A for
   www.rnelnet.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

--end cmd--

Hi @damic

that’s curious.

Dnssec-analyzer is happy - https://dnssec-analyzer.verisignlabs.com/rnelnet.com - all is green.

rnelnet.com
Found 6 DS records for rnelnet.com in the com zone
DS=22548/SHA-256 has algorithm RSASHA1-NSEC3-SHA1
DS=22548/SHA-1 has algorithm RSASHA1-NSEC3-SHA1
DS=13689/SHA-256 has algorithm RSASHA1-NSEC3-SHA1
DS=13689/SHA-1 has algorithm RSASHA1-NSEC3-SHA1
DS=13173/SHA-256 has algorithm RSASHA1-NSEC3-SHA1
DS=13173/SHA-1 has algorithm RSASHA1-NSEC3-SHA1
Found 1 RRSIGs over DS RRset
RRSIG=17708 and DNSKEY=17708 verifies the DS RRset
Found 6 DNSKEY records for rnelnet.com
DS=22548/SHA-256 verifies DNSKEY=22548/SEP
DS=13689/SHA-256 verifies DNSKEY=13689/SEP
DS=13173/SHA-256 verifies DNSKEY=13173/SEP
Found 6 RRSIGs over DNSKEY RRset
RRSIG=13173 and DNSKEY=13173/SEP verifies the DNSKEY RRset
rnelnet.com A RR has value 158.69.221.157
Found 3 RRSIGs over A RRset
RRSIG=54965 and DNSKEY=54965 verifies the A RRset

My tool isn’t happy - https://check-your-website.server-daten.de/?q=rnelnet.com

rnelnet.com 6 DS RR in the parent zone found
1 RRSIG RR to validate DS RR found
Algorithm: 8, 2 Labels, original TTL: 86400 sec, Signature-expiration: 16.08.2019, 04:30:35, Signature-Inception: 09.08.2019, 03:20:35, KeyTag 17708, Signer-Name: com
• Status: Good - Algorithmus 8 and DNSKEY with KeyTag 17708 used to validate the DS RRSet in the parent zone
0 DNSKEY RR found
Fatal error: Parent zone has a signed DS RR (Algorithm 7, KeyTag 13173, DigestType 1, Digest BzsMTRgckKJvLSG6B7aBGh174mk=), but the destination DNSKEY doesn’t exist or doesn’t validate the DNSKEY RR set. No chain of trust created.
Fatal error: Parent zone has a signed DS RR (Algorithm 7, KeyTag 13173, DigestType 2, Digest 1gSzvRFXFm5PQGZIqZ4jH/V4m+iDPiS7o6/CWBlrfrE=), but the destination DNSKEY doesn’t exist or doesn’t validate the DNSKEY RR set. No chain of trust created.
Fatal error: Parent zone has a signed DS RR (Algorithm 7, KeyTag 13689, DigestType 1, Digest WassBSfptVtAbrvBAO1NxN+/cAQ=), but the destination DNSKEY doesn’t exist or doesn’t validate the DNSKEY RR set. No chain of trust created.
Fatal error: Parent zone has a signed DS RR (Algorithm 7, KeyTag 13689, DigestType 2, Digest lJOUVFQnC6grUIs5hmzLFRqRGUm4EGmchvYnqOAgsZk=), but the destination DNSKEY doesn’t exist or doesn’t validate the DNSKEY RR set. No chain of trust created.
Fatal error: Parent zone has a signed DS RR (Algorithm 7, KeyTag 22548, DigestType 1, Digest sisr7JxJDj+EcRg/XIwrbBjgDQ4=), but the destination DNSKEY doesn’t exist or doesn’t validate the DNSKEY RR set. No chain of trust created.
Fatal error: Parent zone has a signed DS RR (Algorithm 7, KeyTag 22548, DigestType 2, Digest 15Vp/8m06P1TrY8FG949H9+V0EtNy7tIEBu0kNInMFg=), but the destination DNSKEY doesn’t exist or doesn’t validate the DNSKEY RR set. No chain of trust created.

The tool can’t find a DNSKEY, so it’s impossible to create a chain of trust.

Unboundtest (Letsencrypt uses an unbound-instance with the same configuration) reports the same problem:

https://unboundtest.com/m/A/rnelnet.com/QMD6VJXT

Query results for A rnelnet.com

Response:
;; opcode: QUERY, status: SERVFAIL, id: 37643
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

So it can’t work.

Looks like your DNSSEC is broken. That blocks Letsencrypt.

So

  • fix your DNSSEC (or)
  • remove the DS in the parent zone
1 Like

You have the same problem as this thread:

(.com and .edu run on the same DNS infrastructure.)

You’re not doing anything invalid, but a corner case in the DNS protocol, and the design of the authoritative and recursive DNS servers involved, means it doesn’t work.

$ dig +dnssec +norecurse +bufsize=512 @h.gtld-servers.net. rnelnet.com

; <<>> DiG 9.15.1-Ubuntu <<>> +dnssec +norecurse +bufsize @h.gtld-servers.net. rnelnet.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31734
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 10, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;rnelnet.com.                   IN      A

;; AUTHORITY SECTION:
rnelnet.com.            172800  IN      NS      ns.rnelnet.com.
rnelnet.com.            172800  IN      NS      ns1.rnelnet.com.
rnelnet.com.            172800  IN      NS      ns2.rnelnet.com.
rnelnet.com.            86400   IN      DS      22548 7 2 D79569FFC9B4E8FD53AD8F051BDE3D1FDF95D04B4DCBBB48101BB490 D2273058
rnelnet.com.            86400   IN      DS      22548 7 1 B22B2BEC9C490E3F8471183F5C8C2B6C18E00D0E
rnelnet.com.            86400   IN      DS      13689 7 2 9493945454270BA82B508B39866CCB151A911949B810699C86F627A8 E020B199
rnelnet.com.            86400   IN      DS      13689 7 1 59AB2C0527E9B55B406EBBC100ED4DC4DFBF7004
rnelnet.com.            86400   IN      DS      13173 7 2 D604B3BD1157166E4F406648A99E231FF5789BE8833E24BBA3AFC258 196B7EB1
rnelnet.com.            86400   IN      DS      13173 7 1 073B0C4D181C90A26F2D21BA07B6811A1D7BE269
rnelnet.com.            86400   IN      RRSIG   DS 8 2 86400 20190816043035 20190809032035 17708 com. r+yL8SjhNyBMOc3aP7DT2VMT+l8uzC6H6zswYMVosJI99SF5k3p/OV/7 uvJlFJVNB3U+5+7SyVOfyr3sC33xt1FdgkCZfquQfJYH99rjwo5wpdzj WqH9SHDq1gh80UzQmvFn0Nvb5WeEKpYeIRBQjpqFAMXiOARLabe/caRY E6A=

;; Query time: 117 msec
;; SERVER: 2001:502:8cc::30#53(2001:502:8cc::30)
;; WHEN: Fri Aug 09 21:52:31 UTC 2019
;; MSG SIZE  rcvd: 508

You can follow the same workaround as given in that thread – delete some of your DS or NS records, or add even more.

I’d suggest getting rid of the SHA-1 DS records. They’re useless for most purposes.

Edit: You could also use DNS servers in a different domain or TLD.

(P.S.: It’s not invalid, but your DNSKEY response is huge. You should consider deleting some of them, or using a DNS server that doesn’t sign with ZSKs, or using smaller keys, or using ECDSA.)

(P.P.S.: .com is going to start using a bigger ZSK soon. That might inadvertently solve your problem; I haven’t done the math to check, though.)

2 Likes

I first attempted to add a bunch, all the DS records that were older which didn’t work.

I then removed all DS records except for the one I just created and then resigned my domain. Waited a few days and everything worked fine.

Weird error. Not enough return data to include the A records when lookup the domain with DNSSEC enable.

Thanks for your help guys.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.