DNS problem: SERVFAIL looking up A

My domain is: desguacebizkaia.com.es

I ran this command: certbot certonly --webroot -w /path/to/web/root -d desguacebizkaia.com.es,www.desguacebizkaia.com.es

It produced this output:
Failed authorization procedure. desguacebizkaia.com.es (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for desguacebizkaia.com.es, www.desguacebizkaia.com.es (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for www.desguacebizkaia.com.es

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: desguacebizkaia.com.es
  Type: None
  Detail: DNS problem: SERVFAIL looking up A for
  desguacebizkaia.com.es

  Domain: www.desguacebizkaia.com.es
  Type: None
  Detail: DNS problem: SERVFAIL looking up A for
  www.desguacebizkaia.com.es

My web server is (include version): nginx/1.12.2

The operating system my web server runs on is (include version): Ubuntu 14.04.6

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

dig A desguacebizkaia.com.es @8.8.8.8

; <<>> DiG 9.11.3-1ubuntu1.9-Ubuntu <<>> A desguacebizkaia.com.es @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15883
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;desguacebizkaia.com.es. IN A

;; ANSWER SECTION:
desguacebizkaia.com.es. 3599 IN A 52.58.37.23

;; Query time: 153 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 17 12:04:28 EEST 2019
;; MSG SIZE rcvd: 67

Something is wrong with the Register.com nameservers, but I’m not sure what.

Similar results from other domains sharing those nameservers (dns1.register.com, dns2.register.com):

• 123seek.com - https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/15330497
• reinventions.net - https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/15330746

DNSViz also thinks they’re often failing to respond:

https://dnsviz.net/d/desguacebizkaia.com.es/dnssec/

It also notices that the domain’s NS records are inconsistent. That won’t automatically break anything – assuming all six nameservers work – but it should be fixed.

Hi @denis.sh

there is the same problem, seen in an older topic (this week). Different name servers.

Then checked manual

D:\temp>nslookup -type=NS desguacebizkaia.com.es. fnicdos.rediris.es.
desguacebizkaia.com.es nameserver = dns1.register.com
desguacebizkaia.com.es nameserver = dns2.register.com

A com.es nameserver says: "Ask dns1.register.com".

But that server says: Ask these ...

D:\temp>nslookup -type=NS desguacebizkaia.com.es. dns1.register.com.
desguacebizkaia.com.es nameserver = dns237.c.register.com
desguacebizkaia.com.es nameserver = dns176.d.register.com
desguacebizkaia.com.es nameserver = dns244.a.register.com
desguacebizkaia.com.es nameserver = dns159.b.register.com

And again: Unboundtest is happy:

https://unboundtest.com/m/A/desguacebizkaia.com.es/HZLCZ2OH

Letsencrypt uses the same configuration.

The older topic:

Same question: That looks buggy, but I don't know if such a name server configuration is allowed.

Regarding the mismatching NS records, 123seek.com does not have that problem, but it still produces the SERVFAIL (alternating with timeouts).

So there is something else going on, or at least, in addition to.

Maybe Register.com is using anycast and has regional issues? Or they have very enthusiastic rate limiting? Or there’s a routing issue with Let’s Encrypt or Register.com or an intermediate ISP?

Edit: Nevermind, I can’t read.

Seems like whatever issues were plaguing register.com yesterday are now gone - Let’s Encrypt can validate all the domains now.

Can confirm the issues we were having with register.com are gone, and were able to get Let’s Encrypt to validate.

Today we don’t have issues with obtaining Letsencrypt certificates for Register.com domains.

2 posts were split to a new topic: DNS problem: SERVFAIL looking up A

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.