DNS problem: SERVFAIL looking up CAA


#1

Issue:

DNS problem: SERVFAIL looking up CAA for helpdesk.tirthayatra.org

Error Status : 403
Error detail : Error finalizing order :: Rechecking CAA: While processing CAA for helpdesk.tirthayatra.org: DNS problem: SERVFAIL looking up CAA for helpdesk.tirthayatra.org
Error type : urn:ietf:params:acme:error:caa

This issue occurs intermittently. Certificate issuance succeeds few times and fails most of the times.
(like succeeds in 3 out of 10 tries)

dig helpdesk.tirthayatra.org caa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> helpdesk.tirthayatra.org caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8269
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;helpdesk.tirthayatra.org. IN CAA

;; ANSWER SECTION:
helpdesk.tirthayatra.org. 309 IN CNAME desk.cs.zohohost.com.
desk.cs.zohohost.com. 300 IN CAA 0 issue “letsencrypt.org

;; Query time: 27 msec
;; SERVER: 192.168.100.11#53(192.168.100.11)
;; WHEN: Fri Dec 21 16:13:56 IST 2018
;; MSG SIZE rcvd: 121

Couldn’t find any unusual DNS related issue in the domains. (DNSSEC not enabled)

https://dnschecker.org/#CAA/helpdesk.tirthayatra.org

http://dnsviz.net/d/helpdesk.tirthayatra.org/dnssec/

Can someone help me in solving this issue?


#2

There’s at least some vague evidence that the nameservers for desk.cs.zohohost.com do not all respond to queries in the same way, which may provide some explanation towards the intermittency of the issue.

e.g.

NS1.VTITAN.COM
$ dig +norecurse +tcp @NS1.VTITAN.COM dEsK.cs.zohohOst.com caa

; <<>> DiG 9.11.4-3ubuntu5-Ubuntu <<>> +norecurse +tcp @NS1.VTITAN.COM dEsK.cs.zohohOst.com caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58209
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dEsK.cs.zohohOst.com.          IN      CAA

;; ANSWER SECTION:
dEsK.cs.zohohOst.com.   300     IN      CAA     0 issue "letsencrypt.org"

;; AUTHORITY SECTION:
zohohOst.com.           300     IN      NS      NS2.VTITAN.com.
zohohOst.com.           300     IN      NS      PDNS90.ULTRADNS.BIZ.
zohohOst.com.           300     IN      NS      NS1.VTITAN.com.
zohohOst.com.           300     IN      NS      PDNS90.ULTRADNS.NET.
zohohOst.com.           300     IN      NS      PDNS90.ULTRADNS.com.
zohohOst.com.           300     IN      NS      PDNS90.ULTRADNS.ORG.

;; ADDITIONAL SECTION:
NS1.VTITAN.com.         3600    IN      A       207.224.234.106
NS2.VTITAN.com.         3600    IN      A       117.20.43.94

;; Query time: 306 msec
;; SERVER: 207.224.234.106#53(207.224.234.106)
;; WHEN: Fri Dec 21 22:27:46 AEDT 2018
;; MSG SIZE  rcvd: 287

versus

PDNS90.ULTRADNS.ORG
$ dig +norecurse +tcp @PDNS90.ULTRADNS.ORG dEsK.cs.zohohOst.com caa

; <<>> DiG 9.11.4-3ubuntu5-Ubuntu <<>> +norecurse +tcp @PDNS90.ULTRADNS.ORG dEsK.cs.zohohOst.com caa
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13762
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dEsK.cs.zohohOst.com.          IN      CAA

;; ANSWER SECTION:
desk.cs.zohohost.com.   300     IN      CAA     0 issue "letsencrypt.org"

;; AUTHORITY SECTION:
zohohost.com.           300     IN      NS      NS1.VTITAN.COM.
zohohost.com.           300     IN      NS      PDNS90.ULTRADNS.COM.
zohohost.com.           300     IN      NS      NS2.VTITAN.COM.
zohohost.com.           300     IN      NS      PDNS90.ULTRADNS.BIZ.
zohohost.com.           300     IN      NS      PDNS90.ULTRADNS.ORG.
zohohost.com.           300     IN      NS      PDNS90.ULTRADNS.NET.

;; Query time: 204 msec
;; SERVER: 156.154.67.90#53(156.154.67.90)
;; WHEN: Fri Dec 21 22:35:14 AEDT 2018
;; MSG SIZE  rcvd: 275

Note that one exhibits case sensitivity, and the other doesn’t. No idea if that would throw Unbound off, but it’s not the only difference.

I can’t actually reproduce an actual SERVFAIL result by Unbound, so this this a pretty useless observation for now. Sorry.


#3

The DNS setup if far from ideal: https://dnsspy.io/scan/tirthayatra.org
Even the “two” name servers resolve to the same IP.


#4

Unbound only requires the question section to preserve case, and UltraDNS is doing that. The other sections can go wild.

Edit: This is pure speculation, but I wonder if Let’s Encrypt’s queries are getting rate limited?


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.