DNS problem: SERVFAIL looking up CAA

emil · October 16, 2016, 2:16am

- The following errors were reported by the server:

Domain: tools.srv1.dk
Type:   connection
Detail: DNS problem: SERVFAIL looking up CAA for tools.srv1.dk

Domain: librenms.srv1.dk
Type:   connection
Detail: DNS problem: SERVFAIL looking up CAA for librenms.srv1.dk

Domain: files-origin.srv1.dk
Type:   connection
Detail: DNS problem: SERVFAIL looking up CAA for
files-origin.srv1.dk

Domain: zitcom.srv1.dk
Type:   connection
Detail: DNS problem: SERVFAIL looking up CAA for zitcom.srv1.dk

Why all the SERVFAILs? I don’t see any…

Nameserver

⋊> ~ dig tools.srv1.dk type257 @ns1.srv1.dk                                                                                                                                                         

; <<>> DiG 9.8.3-P1 <<>> tools.srv1.dk type257 @ns1.srv1.dk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6466
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;tools.srv1.dk.			IN	TYPE257

;; AUTHORITY SECTION:
srv1.dk.		600	IN	SOA	ns1.srv1.dk. dns.srv1.dk. 2016101502 14400 600 604800 600

;; Query time: 47 msec
;; SERVER: 128.199.51.147#53(128.199.51.147)
;; WHEN: Sun Oct 16 04:12:00 2016
;; MSG SIZE  rcvd: 75

Google Public DNS

⋊> ~ dig tools.srv1.dk type257 @8.8.8.8                                                                                                                                                             
; <<>> DiG 9.8.3-P1 <<>> tools.srv1.dk type257 @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58034
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;tools.srv1.dk.			IN	TYPE257

;; AUTHORITY SECTION:
srv1.dk.		578	IN	SOA	ns1.srv1.dk. dns.srv1.dk. 2016101502 14400 600 604800 600

;; Query time: 59 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Oct 16 04:12:04 2016
;; MSG SIZE  rcvd: 75

ahaw021 · October 16, 2016, 4:32am

H Emil

There are a few good historic discussions on this matter.

Review them here: https://community.letsencrypt.org/search?q=caa

mnordhoff · October 16, 2016, 5:05am

There are, but usually something is obviously wrong with the domain’s DNS. This time it seems okay, as far as i can tell.

(I run an Unbound forwarder, but not an Unbound recursor, and not necessarily the same version.)

emil · October 16, 2016, 11:27am

Hi @ahaw021

Yeah, I know. I have looked at them, but I doesn’t help me. A you can see there is no problem on my nameserver.

I wrote here to see if other have experienced the same and to get help from the Let’s Encrypt team to solve the issue.

pfg · October 16, 2016, 2:40pm

I’m not seeing anything that should be causing a SERVFAIL either. The only issue I found is that ns1.srv1.dk returns a CAA record for srv1.dk, while the other name servers don’t:

dig -t TYPE257 srv1.dk @ns1.srv1.dk

; <<>> DiG 9.8.3-P1 <<>> -t TYPE257 srv1.dk @ns1.srv1.dk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16018
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;srv1.dk.			IN	TYPE257

;; ANSWER SECTION:
srv1.dk.		600	IN	TYPE257	\# 33 0005696F6465666D61696C746F3A6361612D7265706F727473407372 76312E646B
srv1.dk.		600	IN	TYPE257	\# 22 000569737375656C657473656E63727970742E6F7267

;; Query time: 38 msec
;; SERVER: 128.199.51.147#53(128.199.51.147)
;; WHEN: Sun Oct 16 16:38:41 2016
;; MSG SIZE  rcvd: 104

dig -t TYPE257 srv1.dk @ns2.srv1.dk

; <<>> DiG 9.8.3-P1 <<>> -t TYPE257 srv1.dk @ns2.srv1.dk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35430
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;srv1.dk.			IN	TYPE257

;; AUTHORITY SECTION:
srv1.dk.		600	IN	SOA	ns1.srv1.dk. dns.srv1.dk. 2016101502 14400 600 604800 600

;; Query time: 34 msec
;; SERVER: 5.79.70.116#53(5.79.70.116)
;; WHEN: Sun Oct 16 16:38:44 2016
;; MSG SIZE  rcvd: 69

dig -t TYPE257 srv1.dk @ns3.srv1.dk

; <<>> DiG 9.8.3-P1 <<>> -t TYPE257 srv1.dk @ns3.srv1.dk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44491
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;srv1.dk.			IN	TYPE257

;; AUTHORITY SECTION:
srv1.dk.		600	IN	SOA	ns1.srv1.dk. dns.srv1.dk. 2016101502 14400 600 604800 600

;; Query time: 143 msec
;; SERVER: 94.231.110.90#53(94.231.110.90)
;; WHEN: Sun Oct 16 16:38:46 2016
;; MSG SIZE  rcvd: 69

I don’t think this would cause a SERVFAIL, but it’s possibly something to look into.

emil · October 16, 2016, 7:01pm

@pfg There was issue in sync between the master and slaves. It is fixed now.

certbot is not failing anymore

system · November 15, 2016, 7:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.