DNS query timed out

I’m seeing the same issue in Australia with multiple domains using NetRegistry nameservers. My self (nameserver) hosted ones are fine, as are many others.

I have same problem with my domain leavesongs.com(hosting by DNSPod). Dnspod is china’s biggest DNS hosting, so sad…

{u'status': u'invalid', u'validationRecord': [{u'url': u'http://www.leavesongs.com/.well-known/acme-challenge/rrDq5Ihs4vQqxk7NuMnBKD0tnCVGFLXCvf2tRltlRMg', u'hostname': u'www.leavesongs.com', u'addressUsed': u'133.130.100.201', u'port': u'80', u'addressesResolved': [u'133.130.100.201']}], u'keyAuthorization': u'rrDq5Ihs4vQqxk7NuMnBKD0tnCVGFLXCvf2tRltlRMg.jmTkjEFt3yv0PIqIkjlYn4A1iGHfWTl9MV5bqnKsK8M', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/2GS--3sPSORjtzuKd5y_OjqXWIxBOuCW4DKZQ0yEojY/1571552', u'token': u'rrDq5Ihs4vQqxk7NuMnBKD0tnCVGFLXCvf2tRltlRMg', u'error': {u'type': u'urn:acme:error:connection', u'detail': u'DNS query timed out'}, u'type': u'http-01'}

I’m seeing this too.

All my NetRegistry domains (four of them) are failing with an urn:acme:error:connection error:

FailedChallenges: Failed authorization procedure. example.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS query timed out

Failed authorization procedure. example.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS query timed out

Error: The server could not connect to the client to verify the domain

All my other domains, which don’t use NetRegistry DNS, are perfectly fine.

Oddly perhaps, I’m seeing a connection in my nginx logs of the LetsEncrypt server. But something else must be happening elsewhere, because it’s failing.

It’s also new(ish) problem. I’ve originally issued a certificate to the some of the domains when LetsEncrypt was in invite-beta mode. It went though fine then, and in the first days it was in public-beta. But now, it won’t work.

(I have replaced my domain with example.com)

EDIT: As a test, I just moved one of my domains across to another DNS provider. Using the same setup/server config as before, it now works. Something isn’t right with NetRegistry.

Out of curiosity, which provider did you go with?

I’m tired of NR’s shenanigans. They don’t even respond to support tickets any more.

Also seeing issue with NetRegistry domains.

Also seeing issues with NetRegistry domains. Haven’t yet tested other providers, seeing “DNS problem: query timed out looking up CAA for […]” for these.

I’m seeing this with netregistry.net, easyclouddns.net (used by Melbourne IT), partnerconsole.net (TPP?) and a number of other name servers.

DNS problem: query timed out looking up CAA for [domain name]

About half of my clients are not able to get Let’s Encrypt certificates because of this issue.

DNS problem: query timed out looking up A for www.example.com

I’m getting DNS timeouts. This cert has nearly 100 domains and has worked great in the past, but today I can’t more than 5 domains verified before it dies. Sometimes it dies on the first domain, sometimes others. Even when the first domain verifies, it might fail the very next run a minute later.

Here is my sanitized error:
{u’type’: u’urn:acme:error:connection’, u’detail’: u’DNS problem: query timed out looking up A for www.example.com’}, u’type’: u’http-01’}

I also tried a different server with a single domain cert and it failed too - same error. I’m guessing there isn’t anything I can do besides sit back and wait?

Also see this topic: DNS resolver issues?

Having the same problem - I get

The following errors were reported by the server:

Domain: www.xxx.com
Type: urn:acme:error:connection
Detail: DNS problem: query timed out looking up A for
www.xxx.com

It works if I keep trying…eventually. Which suggests it’s not my server.

If it’s maintenance, why did several of my domains suddenly shift from renewal on the 14th to tomorrow as of 6pm today?

I just got the same problem today. I’ve retried half a dozen times. Also, our DNS servers run on anycast from 16 locations around the world, so seems like LE’s issue…

The error I get back is:

DNS problem: query timed out looking up TXT for _acme-challenge.community.instartlogic.com

This was working a couple hours ago.

It’s working now. Does LE have these issues frequently?

Sorry for the issues. We deployed a change to our DNS configuration to mitigate timeouts people have been seeing with NetRegistry. Unfortunately, this caused a significant increase in timeouts for other registrars, and we rolled it back. Things should be back to normal. Please let us know if you see further problems of this sort.

2 Likes

I’m getting this error with a subdomain that is using a CNAME record to point it to an Amazon EC2 instance. The domain name resolves fine on my local machine:

$ nslookup demo.amcv.wsaa.asn.au 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
demo.amcv.wsaa.asn.au   canonical name = ec2-52-62-56-82.ap-southeast-2.compute.amazonaws.com.
Name:   ec2-52-62-56-82.ap-southeast-2.compute.amazonaws.com
Address: 52.62.56.82

But Let’s Encrypt responds with:

$ ./letsencrypt-auto certonly --standalone -d demo.amcv.wsaa.asn.au
[...]
 - The following errors were reported by the server:

   Domain: demo.amcv.wsaa.asn.au
   Type:   connection
   Detail: DNS problem: query timed out looking up CAA for
   amcv.wsaa.asn.au

Do I need zone file records in addition to CNAME? I have another subdomain on a different domain (different zone file and name servers) that works fine, and it has no CAA record.

It seems I am getting the same type of error, is the DNS resolver fixed ?

Here’s my domain’s lookup (example):

$ dig hackmasters.net
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.2 <<>> hackmasters.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18002
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;hackmasters.net.        IN    A

;; ANSWER SECTION:
hackmasters.net.    599    IN    A    104.168.158.213

;; Query time: 78 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 29 16:55:33 EST 2016
;; MSG SIZE  rcvd: 60

and here’s the issue I get from the letsencrypt client:

Failed authorization procedure. hackmasters.net (http-01): urn:acme:error:connection :: The server 
could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for
hackmasters.net

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: hackmasters.net
   Type:   connection
   Detail: DNS problem: NXDOMAIN looking up A for hackmasters.net

All the other subdomains (e.g., www, api, code, etc…) all are verified. I tried using different DNS servers and they all check out. Is there any way to understand what is going on ?

What I noticed, after trying few times, is that the resolver is very… erratic… in the sense that sometimes it resolves all but the base name, and sometimes it fails on multiple domain names… so, for now, I got the best I could get (all but the base domain name…). I hope the software will be developed a little bit further and fix this (seems quite simple task for a DNS to be able to resolve an A record… !!!) issue - will try to use it again in few days to see if I can finally get all of the sub-domains…

Hello @opencrypto,

Right now the dns servers for your domain hackmasters.net are ns1.dnsbycomodo.net and cvps8815162906.hostwindsdns.com

dig +trace @a.root-servers.net hackmasters.net

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> +trace @a.root-servers.net hackmasters.net
; (1 server found)
;; global options: +cmd
.                       518400  IN      NS      a.root-servers.net.
.                       518400  IN      NS      d.root-servers.net.
.                       518400  IN      NS      m.root-servers.net.
.                       518400  IN      NS      l.root-servers.net.
.                       518400  IN      NS      k.root-servers.net.
.                       518400  IN      NS      f.root-servers.net.
.                       518400  IN      NS      g.root-servers.net.
.                       518400  IN      NS      h.root-servers.net.
.                       518400  IN      NS      e.root-servers.net.
.                       518400  IN      NS      b.root-servers.net.
.                       518400  IN      NS      j.root-servers.net.
.                       518400  IN      NS      i.root-servers.net.
.                       518400  IN      NS      c.root-servers.net.
;; Received 508 bytes from 198.41.0.4#53(198.41.0.4) in 6 ms

net.                    172800  IN      NS      b.gtld-servers.net.
net.                    172800  IN      NS      d.gtld-servers.net.
net.                    172800  IN      NS      f.gtld-servers.net.
net.                    172800  IN      NS      c.gtld-servers.net.
net.                    172800  IN      NS      m.gtld-servers.net.
net.                    172800  IN      NS      j.gtld-servers.net.
net.                    172800  IN      NS      k.gtld-servers.net.
net.                    172800  IN      NS      g.gtld-servers.net.
net.                    172800  IN      NS      l.gtld-servers.net.
net.                    172800  IN      NS      e.gtld-servers.net.
net.                    172800  IN      NS      a.gtld-servers.net.
net.                    172800  IN      NS      i.gtld-servers.net.
net.                    172800  IN      NS      h.gtld-servers.net.
;; Received 490 bytes from 202.12.27.33#53(202.12.27.33) in 18 ms

hackmasters.net.        172800  IN      NS      ns1.dnsbycomodo.net.
hackmasters.net.        172800  IN      NS      cvps8815162906.hostwindsdns.com.
;; Received 140 bytes from 192.48.79.30#53(192.48.79.30) in 215 ms

;; Received 33 bytes from 8.20.241.1#53(8.20.241.1) in 8 ms

…and ns1.dnsbycomodo.net server doesn’t resolve your domain.

dig @ns1.dnsbycomodo.net hackmasters.net

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @ns1.dnsbycomodo.net hackmasters.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36763
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;hackmasters.net.               IN      A

;; Query time: 8 msec
;; SERVER: 8.20.241.1#53(8.20.241.1)
;; WHEN: Mon Feb 29 23:41:46 2016
;; MSG SIZE  rcvd: 33

You should check that ;).

Good luck,
sahsanu

It is erratic because one of your dns server resolves your domain and the other doesn't.

As said @sahsanu your dns setup in buggy. Fix the errors showing on http://www.intodns.com/hackmasters.net and retry.