DNS problem: SERVFAIL looking up CAA


#1

My domain is: git.shifudao.com

I ran this command: certbot-auto certbot -d git.shifudao.com

It produced this output:

Failed authorization procedure. git.shifudao.com (http-01): urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up CAA for git.shifudao.com

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: git.shifudao.com
   Type:   None
   Detail: DNS problem: SERVFAIL looking up CAA for git.shifudao.com

My web server is (include version): Nginx 1.14.0

The operating system my web server runs on is (include version): Ubuntu Server 16.04.5

My hosting provider, if applicable, is: Aliyun

And I’ve already add CAA records: *.shifudao.com CAA 0 issue "letsencrypt.org"

dig git.shifudao.com caa +short
0 issue "letsencrypt.org"

SERVFAIL causing issuance failures, unable to reproduce in Unbound or locally
#2

I am not sure this is a good idea to wildcard. If you just have a CAA record at the zone apex (shifudao.com), it will already cover any possible subdomain, unless that subdomain has a more specific CAA record.

I don’t think this is causing your problem, though.

Is this happening every time you try it? Does it happen with a --dry-run ?


#3

Hmm, your nameservers’ DNS responses appear to come with some ‘little extra’ data on the end:

Screenshot_2018-07-30_20-50-48

(The elb.amazonaws.com. bit). dig complains about this too, maybe it is freaking the Let’s Encrypt resolver out:

;; WARNING: Message has 23 extra bytes at end

Always different content, but always 23 extra bytes that are not valid DNS data. Looks like a nameserver malfunction to me.

It actually looks like memory corruption on the resolver to me, because I’m seeing totally unrelated data (like ezdnscenter.com) - but maybe it is a screwed up NSEC response? :confused:


#4

Hmm. Then what should I do ? Thank you.


#5

You need to talk to your DNS host and ask them why this is happening.

Maybe it has something to do with Chinese internet or the Chinese great firewall - that does cause issues sometimes.

Otherwise, you would need to change DNS hosts to avoid the issue.


#6

Is there any way to disable CAA check ?


#7

Nope, it’s a check that all certificate authorities must perform.


#8

Where did you see the warning? I try to use dig on vultr, but nothing happens.

root@vultr:~# dig git.shifudao.com caa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> git.shifudao.com caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52895
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;git.shifudao.com.		IN	CAA

;; ANSWER SECTION:
git.shifudao.com.	600	IN	CAA	0 issue "letsencrypt.org"

;; AUTHORITY SECTION:
shifudao.com.		3462	IN	NS	ns4.dns.com.
shifudao.com.		3462	IN	NS	ns3.dns.com.

;; Query time: 1271 msec
;; SERVER: 108.61.10.10#53(108.61.10.10)
;; WHEN: Mon Jul 30 12:03:42 UTC 2018
;; MSG SIZE  rcvd: 119

#9

Try querying the authoritative nameserver directly:

dig @ns3.dns.com git.shifudao.com caa

A caching/recursive resolver will strip the excess data.

Curiously, this only happens for me from a couple of locations, and I can avoid by passing +noedns to dig.


#10

But i’ve tried this command on vultr and aliyun, no this warning:

root@vultr:~# dig @ns3.dns.com git.shifudao.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns3.dns.com git.shifudao.com
; (4 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43456
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;git.shifudao.com.		IN	A

;; ANSWER SECTION:
git.shifudao.com.	600	IN	A	207.148.26.79

;; AUTHORITY SECTION:
shifudao.com.		3600	IN	NS	ns3.dns.com.
shifudao.com.		3600	IN	NS	ns4.dns.com.

;; Query time: 419 msec
;; SERVER: 121.12.104.109#53(121.12.104.109)
;; WHEN: Mon Jul 30 12:19:50 UTC 2018
;; MSG SIZE  rcvd: 100

And by the way, did this warning will affect letsencrypt CAA check ?


#11

That’s my theory, but I can’t tell you for sure.

I believe that this is a corroboration of the issue: http://dnsviz.net/d/git.shifudao.com/dnssec/

git.shifudao.com/CAA: The server responded with no OPT record, rather than with RCODE FORMERR. (121.12.104.109, 121.12.104.110, 183.2.194.173, 183.2.194.174, 218.66.171.173, 218.66.171.174, 218.98.111.173, 218.98.111.174, UDP_0_EDNS0_32768_4096)

At least, it has been an issue before: DNS problem: SERVFAIL looking up CAA for www.imolaenergy.hu

I see you’ve removed the CAA record now, does that help things for you?


#12

No. I try to change *.shifudao.com. CAA to shifudao.com. CAA, but still showing:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: git.shifudao.com
   Type:   None
   Detail: DNS problem: SERVFAIL looking up CAA for git.shifudao.com

And I find google.com still has this warning, so I thinks maybe it’s not the reason: http://dnsviz.net/d/google.com/VfWKRA/dnssec/


#13

Using this website

no dns query works.

Searching the A-record -> works.


#14

I’ve added shifudao.com CAA record, and seems all dns servers have been resolved: https://dnschecker.org/#CAA/shifudao.com


#15

Might need @cpu to confirm the cause in this case.


#16

We’re limited in what we can say about the root cause. Only the SERVFAIL is captured. I agree with the debugging you folks have done in thread (many thanks!).

@abcfy2 Have you been able to issue with success since addressing the issues with your authoritative DNS server?


#17

No. And I don’t know how to do next.


#18

You could try removing the CAA record entirely. CAA records are not required to be there, they’re only required to be respected by the CA if they are.

Removing the CAA record is the closest thing you can do to disabling the check. It only requires that your DNS provider be able to properly respond with a NOERROR.


#19

But now your subdomain works (first time).

http://git.shifudao.com/

Welcome to nginx!

https://git.shifudao.com/ has a certificate www.zhongchuang.cn


#20

No, it’s not working.

No matter whether the CAA record exists, certbot will always show:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: git.shifudao.com
   Type:   None
   Detail: DNS problem: SERVFAIL looking up CAA for git.shifudao.com

So I’m confused. How could I solve this issue?

I try to add @.shifudao.com, git.shifudao.com, *.shifudao.com with CAA record, but none of them could help.