DNS problem: SERVFAIL looking up CAA

Devarajan · December 21, 2018, 10:51am

Issue:

DNS problem: SERVFAIL looking up CAA for helpdesk.tirthayatra.org

Error Status : 403
Error detail : Error finalizing order :: Rechecking CAA: While processing CAA for helpdesk.tirthayatra.org: DNS problem: SERVFAIL looking up CAA for helpdesk.tirthayatra.org
Error type : urn:ietf:params:acme:error:caa

This issue occurs intermittently. Certificate issuance succeeds few times and fails most of the times.
(like succeeds in 3 out of 10 tries)

dig helpdesk.tirthayatra.org caa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> helpdesk.tirthayatra.org caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8269
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;helpdesk.tirthayatra.org. IN CAA

;; ANSWER SECTION:
helpdesk.tirthayatra.org. 309 IN CNAME desk.cs.zohohost.com.
desk.cs.zohohost.com. 300 IN CAA 0 issue "letsencrypt.org"

;; Query time: 27 msec
;; SERVER: 192.168.100.11#53(192.168.100.11)
;; WHEN: Fri Dec 21 16:13:56 IST 2018
;; MSG SIZE rcvd: 121

Couldn't find any unusual DNS related issue in the domains. (DNSSEC not enabled)

https://dnschecker.org/#CAA/helpdesk.tirthayatra.org

http://dnsviz.net/d/helpdesk.tirthayatra.org/dnssec/

Can someone help me in solving this issue?

_az · December 21, 2018, 11:32am

There’s at least some vague evidence that the nameservers for desk.cs.zohohost.com do not all respond to queries in the same way, which may provide some explanation towards the intermittency of the issue.

e.g.

NS1.VTITAN.COM

$ dig +norecurse +tcp @NS1.VTITAN.COM dEsK.cs.zohohOst.com caa

; <<>> DiG 9.11.4-3ubuntu5-Ubuntu <<>> +norecurse +tcp @NS1.VTITAN.COM dEsK.cs.zohohOst.com caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58209
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dEsK.cs.zohohOst.com.          IN      CAA

;; ANSWER SECTION:
dEsK.cs.zohohOst.com.   300     IN      CAA     0 issue "letsencrypt.org"

;; AUTHORITY SECTION:
zohohOst.com.           300     IN      NS      NS2.VTITAN.com.
zohohOst.com.           300     IN      NS      PDNS90.ULTRADNS.BIZ.
zohohOst.com.           300     IN      NS      NS1.VTITAN.com.
zohohOst.com.           300     IN      NS      PDNS90.ULTRADNS.NET.
zohohOst.com.           300     IN      NS      PDNS90.ULTRADNS.com.
zohohOst.com.           300     IN      NS      PDNS90.ULTRADNS.ORG.

;; ADDITIONAL SECTION:
NS1.VTITAN.com.         3600    IN      A       207.224.234.106
NS2.VTITAN.com.         3600    IN      A       117.20.43.94

;; Query time: 306 msec
;; SERVER: 207.224.234.106#53(207.224.234.106)
;; WHEN: Fri Dec 21 22:27:46 AEDT 2018
;; MSG SIZE  rcvd: 287

versus

PDNS90.ULTRADNS.ORG

$ dig +norecurse +tcp @PDNS90.ULTRADNS.ORG dEsK.cs.zohohOst.com caa

; <<>> DiG 9.11.4-3ubuntu5-Ubuntu <<>> +norecurse +tcp @PDNS90.ULTRADNS.ORG dEsK.cs.zohohOst.com caa
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13762
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dEsK.cs.zohohOst.com.          IN      CAA

;; ANSWER SECTION:
desk.cs.zohohost.com.   300     IN      CAA     0 issue "letsencrypt.org"

;; AUTHORITY SECTION:
zohohost.com.           300     IN      NS      NS1.VTITAN.COM.
zohohost.com.           300     IN      NS      PDNS90.ULTRADNS.COM.
zohohost.com.           300     IN      NS      NS2.VTITAN.COM.
zohohost.com.           300     IN      NS      PDNS90.ULTRADNS.BIZ.
zohohost.com.           300     IN      NS      PDNS90.ULTRADNS.ORG.
zohohost.com.           300     IN      NS      PDNS90.ULTRADNS.NET.

;; Query time: 204 msec
;; SERVER: 156.154.67.90#53(156.154.67.90)
;; WHEN: Fri Dec 21 22:35:14 AEDT 2018
;; MSG SIZE  rcvd: 275

Note that one exhibits case sensitivity, and the other doesn’t. No idea if that would throw Unbound off, but it’s not the only difference.

I can’t actually reproduce an actual SERVFAIL result by Unbound, so this this a pretty useless observation for now. Sorry.

rg305 · December 21, 2018, 5:44pm

The DNS setup if far from ideal: https://dnsspy.io/scan/tirthayatra.org
Even the “two” name servers resolve to the same IP.

mnordhoff · December 21, 2018, 5:52pm

Unbound only requires the question section to preserve case, and UltraDNS is doing that. The other sections can go wild.

Edit: This is pure speculation, but I wonder if Let's Encrypt's queries are getting rate limited?

system · January 20, 2019, 5:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DNS problem: SERVFAIL looking up CAA Help	2	1349	March 11, 2021
DNS problem: SERVFAIL looking up CAA Help	9	2124	October 14, 2020
Help diagnosing CAA SERVFAIL Help	9	4468	August 19, 2017
SERVFAIL looking up CAA - prevent the case Help	3	643	March 5, 2021
DNS problem: SERVFAIL looking up CAA for domain Help	12	17504	September 6, 2017

DNS problem: SERVFAIL looking up CAA

Related topics