DNS problem: SERVFAIL looking up CAA


#1

I didn’t setup any restrict on CAA , and seems my DNS server do response caa requirements , I reviewed the similar topics but didn’t find a situation that suit my case , can anyone help ? Appreciate it .

$ dig @8.8.8.8 logana.daikin.net.cn caa

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> @8.8.8.8 logana.daikin.net.cn caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44829
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;logana.daikin.net.cn. IN CAA

;; AUTHORITY SECTION:
daikin.net.cn. 599 IN SOA ce1.dns.com. admin.dns.com. 1545897019 7200 3600 1209600 1800

;; Query time: 286 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 3 14:39:20 2019
;; MSG SIZE rcvd: 91

My domain is: logana.daikin.net.cn

I ran this command: /certbot-auto renew

It produced this output: IMPORTANT NOTES:

My web server is (include version): nginx-1.12.1-1.33

The operating system my web server runs on is (include version): Amazon Linux AMI release 2018.03

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi,

According to unbound test, it seems that there are some issues with your DNS provider (provide different responses per dns server)
https://unboundtest.com/m/CAA/Logana.daikin.net.cn/4HHKK4CI

Thank you


#3

Some of the reasons change over time, but dns.com and Let’s Encrypt don’t get along.

https://community.letsencrypt.org/search?q=dns.com%20order%3Alatest

In general, dns.com is buggy and unreliable.

https://ednscomp.isc.org/ednscomp/d3245ed1ee
http://dnsviz.net/d/logana.daikin.net.cn/XC2yeQ/dnssec/

For most resolvers, that’s okay.

Let’s Encrypt sends DNS queries with random capitalization. dns.com doesn’t support it, which is perfectly valid. The resolver enters a fallback mode, where it sends queries to each of dns.com’s nameservers, and compares the responses. If they don’t match, the resolver returns a SERVFAIL error.

For some reason, dns.com’s responses often don’t match.

https://unboundtest.com/m/CAA/logana.daikin.net.cn/LIMIJT77
https://unboundtest.com/m/CAA/logana.daikin.net.cn/AUV7CH5B

I’m not sure what’s happening with your domain right now. It might be because the nameservers return different serial numbers in the SOA record. If that’s the issue, waiting for a while, or adding CAA records for daikin.net.cn and logana.daikin.net.cn might resolve it.

If there’s another issue, trying again or waiting might help, or it might not.


closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.