DNS problem : SERVFAIL looking up A

Lemni · June 13, 2016, 2:44pm

Hello,
I am new to LE and my problem seems to be similar to other DNS validation problem.
However I cannot manage to find the problem. Here is the error message :

Failed authorization procedure. liris.lemni.top (tls-sni-01): urn:acme:error:connection :: The server could not connect      to  the client to verify the domain :: DNS problem: SERVFAIL looking up A for liris.lemni.top

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: liris.lemni.top
   Type:   connection
   Detail: DNS problem: SERVFAIL looking up A for liris.lemni.top

I also read that it could be linked to uppercase and lowercase letter but it does not seems to be a thing here :

dig LiRiS.lEmNi.top

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> LiRiS.lEmNi.top
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31983
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:
;LiRiS.lEmNi.top.               IN      A

;; ANSWER SECTION:
LiRiS.lEmNi.top.        1864    IN      A       92.222.88.135

;; AUTHORITY SECTION:
lEmNi.top.              1864    IN      NS      dns16.ovh.net.
lEmNi.top.              1864    IN      NS      ns16.ovh.net.

;; ADDITIONAL SECTION:
ns16.ovh.net.           81652   IN      A       213.251.128.135
ns16.ovh.net.           83416   IN      AAAA    2001:41d0:1:1987::1
dns16.ovh.net.          81652   IN      A       213.251.188.135
dns16.ovh.net.          40578   IN      AAAA    2001:41d0:1:4a87::1

;; Query time: 11 msec
;; SERVER: 213.186.33.99#53(213.186.33.99)
;; WHEN: Mon Jun 13 16:41:28 2016
;; MSG SIZE  rcvd: 183

I don’t really have any clue that can help me there…

serverco · June 13, 2016, 4:18pm

It all fails for me I’m afraid


# dig LiRiS.lEmNi.top

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> LiRiS.lEmNi.top
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3728
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;LiRiS.lEmNi.top.		IN	A

;; Query time: 1 msec
;; SERVER: 209.208.127.65#53(209.208.127.65)
;; WHEN: Mon Jun 13 14:58:05 UTC 2016
;; MSG SIZE  rcvd: 44


# dig LiRiS.lEmNi.top @dns16.ovh.net

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> LiRiS.lEmNi.top @dns16.ovh.net
;; global options: +cmd
;; connection timed out; no servers could be reached

# dig LiRiS.lEmNi.top @ns16.ovh.net

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> LiRiS.lEmNi.top @ns16.ovh.net
;; global options: +cmd
;; connection timed out; no servers could be reached

dig LiRiS.lEmNi.top @8.8.8.8

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> LiRiS.lEmNi.top @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2108
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;LiRiS.lEmNi.top.		IN	A

;; Query time: 2060 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jun 13 16:15:50 UTC 2016
;; MSG SIZE  rcvd: 44

Lemni · June 13, 2016, 4:23pm

It seems logic anyway.
Can you try with lemni.top just for the information ?

Any idea of which bad configuration could cause that ?

serverco · June 13, 2016, 4:31pm

same issue with lemni.top.

if ns16.ovh.net and dns16.ovh.net are the authoritative nameservers (which it looks as if they should be) - they aren’t responding. If they don’t respond, then google (8.8.8.8) or anyone else that requests the IP address from the authoritative nameservers can’t get it … hence the failure.

Lemni · June 13, 2016, 4:45pm

The thing I don’t understand here is that I do have an answer when I try with mxtoolbox.

Maybe there is something I don’t get about this problem ?

leader · June 13, 2016, 5:50pm

Google public DNS resolves that host fine. And it does seem to work against the listed servers too. It looks like those might not be reachable from some places though.

As for case sensitivity, the names are case insensitive (see RFC). What you probably heard about case-sensitivity could be related to so-called “0x20 Bit encoding”. What it effectively does, it mixes the case of your name in the query and verifies that case is maintained in the response (to prevent spoofing to some extent). Nameservers you have listed maintain the case, so that should not cause the issues even if this technique is used.

Lemni · June 13, 2016, 8:34pm

I don’t manage the server ns16 and dns16 they are controlled by my serverhost. Is there anything I can do ?
I don’t really see why some places can reach it and somes places can’t…

leader · June 13, 2016, 8:49pm

If name servers are not reachable, it is normally because of (temporary) routing issues between where the query is sent from and those servers. It is rather unlikely for name servers of a large hoster to go down. Usually the issue gets resolved by itself.

However, if it becomes repeatedly unstable, then you can just switch the nameservers to a more reliable provider (they don’t have to be with your registrar or hoster). There are plenty of free DNS hosting providers - just google free dns hosting.

Lemni · June 13, 2016, 9:53pm

It seems weird that their servers don’t be efficient. I find a french man who maid a tutorial explaining how he configured LE on the same configuration with the same server hosting.

I will try to wait a bit, and if it’s necessary I will change my dns hosting.
I will mark this subject solved later, when I will be sure that it is only linked to that. Thank you for your help anyway.

Lemni · June 14, 2016, 8:22am

Without changing anything the certification succeed. Thank you for your answers

system · July 14, 2016, 8:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.