It looks like somebody forgot to update the nameservers at the registrar.
(DNSSEC is off, that's not an issue)
2 Likes
DNS via UDP is being blocked on IPv6.
2 Likes
What about these warnings:
in.ua to dej.in.ua: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the in.ua zone): ns2.h0zt.in, ns1.h0zt.in
in.ua to dej.in.ua: The following NS name(s) were found in the delegation NS RRset (i.e., in the in.ua zone), but not in the authoritative NS RRset: ns1.dezh.in, ns2.dezh.in
2 Likes
That's the "forgot to update the nameservers" part.
Or maybe they did update them but there are some NS records in the dej.in.ua zone (why?)
2 Likes
The thing is...
All the names point to the same IPs:
Name: ns1.h0zt.in
Addresses: 2a03:b0c0:1:e0::5a6:1
64.227.40.164
Name: ns1.dezh.in
Addresses: 2a03:b0c0:1:e0::5a6:1
64.227.40.164
So that's likely why it still (kinda) works.
3 Likes
Could they each serve different CAA records? Or respond differently to CAA requests?
2 Likes
I'd say unlikely
% dig @ns1.h0zt.in caa dej.in.ua +short
0 issue "letsencrypt.org"
% dig @ns2.h0zt.in caa dej.in.ua +short
0 issue "letsencrypt.org"
% dig @ns2.dezh.in caa dej.in.ua +short
0 issue "letsencrypt.org"
% dig @ns1.dezh.in caa dej.in.ua +short
0 issue "letsencrypt.org"
%
2 Likes
"each"?
They are the same IPs = same server.
There is no SNI in DNS.
2 Likes
Ah, mis-read that. I thought the IP were to the web server (not to the DNS)
So, I guess it's not "tidy" but not problematic.
2 Likes
#nojoke
% dig a +short ns1.dezh.in
64.227.40.164
% dig a +short ns2.dezh.in
64.227.40.164
% dig a +short ns2.h0zt.in
64.227.40.164
% dig a +short ns1.h0zt.in
64.227.40.164
% dig aaaa +short ns1.h0zt.in
2a03:b0c0:1:e0::5a6:1
% dig aaaa +short ns2.h0zt.in
2a03:b0c0:1:e0::5a6:1
% dig aaaa +short ns2.dezh.in
2a03:b0c0:1:e0::5a6:1
% dig aaaa +short ns1.dezh.in
2a03:b0c0:1:e0::5a6:1
%
1 Like
I am back to getting SERVFAIL for CAA lookups on unboundtest. Signing off. You two know this way better than me anyway
2 Likes
Nothing is perfect:
com | DNSViz
Even root DNS systems have problems:
[that's why redundancy is applied]
3 Likes
As I wrote before I know that it's not good, but it's legal and works many years.
Could someone clarify me why it stopped to renew certificates from the beginning of April?
This issue exist only for "*.in.ua" domain in my instance.
You should align your NS records.
They point to the same IP, yes. But they should point to the same FQDNs in both zones.
3 Likes
They fixed the NS definitions and got a new cert.
But, I still often get SERVFAIL using unboundtest (for CAA and A). I used to get nearly 100% fails but now about 60% fails.
3 Likes
So it's just luck. Is it?
1 Like
Maybe that's part of why renewals are tested twice a day [for thirty days]
3 Likes
I think same. But as I can see in logs this problem exist couple weeks.