DNS problem: SERVFAIL looking up CAA

I’m trying to renew the cert for a domain - however, it fails due to:

 - The following errors were reported by the server:

   Domain: www.lokalboligsluseholmen.dk
   Type:   dns
   Detail: DNS problem: SERVFAIL looking up CAA for
   www.lokalboligsluseholmen.dk  - the domain's nameservers may be
   malfunctioning

However, querying all NS servers for this domain seems to work fine (i.e. there is no CAA record):

$ dig +dnssec +norecurse CAA lokalboligsluseholmen.dk @ns1.dns-reg.com
$ dig +dnssec +norecurse CAA lokalboligsluseholmen.dk @ns2.dns-reg.com
$ dig +dnssec +norecurse CAA lokalboligsluseholmen.dk @ns3.dns-reg.com
$ dig +dnssec +norecurse CAA lokalboligsluseholmen.dk @ns4.dns-reg.com

Could anyone help find me where the problem is?

Is there a firewall/IPS/or some GeoLocation blocking device in place?

Hi @tchwpkgorg

checking your domain there is a DNSSEC problem visible - https://check-your-website.server-daten.de/?q=lokalboligvalby.dk

Most is good. But

3 DS RR in the parent zone found

• Status: Valid Chain of trust. Parent-DS with Algorithm 13, KeyTag 61474, DigestType 1 and Digest "jiNdpOdVp/UOzvRyzEqqm8sM7TU=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone

• Status: Valid Chain of trust. Parent-DS with Algorithm 13, KeyTag 61474, DigestType 2 and Digest "YIYI1tfFbTkyvLlIBG7SQip2olyr1BFwvYUuIgCYkso=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone

• Status: Valid Chain of trust. Parent-DS with Algorithm 13, KeyTag 61474, DigestType 4 and Digest "nCck3JW6rCwdZRCZTP5CztKAUbyGQnPACN4VpCQVJzAbDo6j+9pNZEZkHy+kaTQi" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone

That's a correct configuration. But may be there is a timeout, one DS (that with DigestType 2) would be enough.

Your name servers are ok, no TCP blocking. Same checked with unbound (local and via unboundtest.com). And DNSSEC is correct, there is no critical error visible.

Three DS -> large resultsets, sometimes that's the reason of timeouts.

Perhaps create a CAA with the www version to see, if that helps.

PS: Sorry, that's a different domain. Must test it.

Not sure if this helps:

Yep, the https://check-your-website.server-daten.de/?q=lokalboligsluseholmen.dk is bogus:

A lot of yellow results.

15794181: CAA-Query sends a valid NSEC RR as result with the NSEC-owner "lokalboligsluseholmen.dk" equal the NextOwner "lokalboligsluseholmen.dk". So the zone confirmes that no other domain name exists.
Bitmap: A, NS, SOA, TXT, RRSIG, NSEC, DNSKEY Validated: RRSIG-Owner lokalboligsluseholmen.dk., Algorithm: 13, 2 Labels, original TTL: 3600 sec, Signature-expiration: 24.09.2020, 00:00:00 +, Signature-Inception: 03.09.2020, 00:00:00 +, KeyTag 20101, Signer-Name: lokalboligsluseholmen.dk

Status: Fatal / bogus. NoError+NoDataResult sent, the answer says, the query name exists, the NSEC covers the Query Name, but there are not enough informations about wildcards (-1): NoError - there must be a confirmed wildcard expansion to create the query name. Recalculate the zone or update the name server software. Or there is a Man in the middle, who has removed one of the required NSEC-Records, so DNSSEC works.

• Your zone needs a refresh
• Your name server is buggy

A NSEC with lokalboligsluseholmen.dk as Owner and NextOwner says, there is no other subdomain.

But there is a wildcard, so there must be a NSEC with the wildcard as owner.

Isn't sent back -> bogus, your DNSSEC is broken.

Creating a CAA record seems to help (just checked with a different domain showing the same problem, i.e. added a CAA record to lokalboligvalby.dk, for which letsencrypt then issued a certificate).

But… I still don’t understand why letsencrypt fails to renew a cert when there is no CAA record, i.e. with lokalboligsluseholmen.dk.
I’m not getting any timeouts when querying.

Your DNSSEC is broken.

There is a wildcard:

*.lokalboligsluseholmen.dk
A
49.12.124.165

So www.lokalboligsluseholmen.dk doesn't exist directly, but exists as a wildcard expansion.

So CAA www.lokalboligsluseholmen.dk exists as a wildcard expansion with an empty result.

But to confirm that, two NSEC are required. Your name server sends only one NSEC -> status bogus.

If you create a CAA www.lokalboligsluseholmen.dk, that hides the wildcard.

PS: That's not a timeout problem (false alarm), that's a real bogus DNSSEC.

Isn't that weird if the wildcard is for an A RR? I.e., *.example.com IN A ... wouldn't result in anything with CAA records, right?

No, that's NSEC / NSEC3.

And yes, it's difficult.

If a wildcard *.example.com exists, the domain name www.example.com exists via wildcard expansion.

Then the CAA + www.example.com -> the domain name exists, so it must be a NoError (error 0) /NoData result, not a NXDOMAIN (= error 3).

But a NoError requires a NSEC that proves that www.example.com doesn't exist and a second NSEC that proves that *.example.com exists and has a Bitmap without the CAA flag (empty result).

PS: Rereading the check result I see, my interpretation is wrong.

Why: A + www.lokalboligsluseholmen.dk has the result:

RRSIG Type 1 validates the A - Result: 49.12.124.165

Validated: RRSIG-Owner www.lokalboligsluseholmen.dk., Algorithm: 13, 3 Labels, original TTL: 3600 sec, Signature-expiration: 24.09.2020, 00:00:00 +, Signature-Inception: 03.09.2020, 00:00:00 +, KeyTag 20101, Signer-Name: lokalboligsluseholmen.dk

The query has 3 labels, the RRSIG Label field = 3, so www.lokalboligsluseholmen.dk exists directly, so the wildcard expansion isn't used. (Wildcard expansion would be visible with RRSIG Label field = 2 < query with 3 labels).

But then the NSEC is completely wrong (so the result is bogus):

CAA-Query sends a valid NSEC RR as result with the NSEC-owner "lokalboligsluseholmen.dk" equal the NextOwner "lokalboligsluseholmen.dk". So the zone confirmes that no other domain name exists.

A query www with an NSEC with owner main-domain and NextOwner = main-domain says: There exists only that domain name in the zone, nothing else. No www, no wildcard. Then, a NXDomain result is expected. But the result is a NoError/NoData -> bogus.

--

Didn't checked that 3 = 3.

PS: To read:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.