DNS resolver fails while looking up a CAA record for gammaconsult.com

Hello,
I have difficulties to renew my wildcard cert for domain gammaconsult.com.
I receive SERVFAIL for CAA checks and don’t know how to fix this.
We are using Microsoft server 2019 DNS Server with DNSSEC. I do’'n have any idea why your system did not pass CAA check but some others do like:https://gf.dev/dns-caa-lookup or https://www.nethub.com.hk/en/ssl-certificates/caa-record-checker/ do!?

My domain is: gammaconsult.com

I ran this command: https://dnsspy.io/labs/caa-validator

It produced this output:

CAA record check for gammaconsult.com

Raw CAA records

These CAA records were detected on the domain gammaconsult.com and are presented as-is.

gammaconsult.com. 3600 IN CAA 0 issuewild “letsencrypt.org

Interpreted CAA records

Here’s what the found CAA records mean.

The following Certificate Authorities can issue wildcard certificates ( *.gammaconsult.com ).

The CAA validator is still in beta. Found an error? Let us know so we can fix it - thanks!

« Back to the CAA validator.
My web server is (include version): IIS 8.5

The operating system my web server runs on is (include version): Windows Server 2012R2

My hosting provider, if applicable, is: Network Solutions but DNS Server is ours

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Certify SSL/TLS Certificate Manager 5.0.12.0

1 Like

Hi @atanas.ag

that’s expected.

There is a check of your domain - https://check-your-website.server-daten.de/?q=gammaconsult.com

Your older certificate has two domain names:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-03-04 2020-06-02 *.gammaconsult.com, gammaconsult.com
2 entries

So if you have only an issuewild, you can’t create a certificate with your main domain gammaconsult.com.

*.gammaconsult.com, gammaconsult.com requires issue (or two entries issue and issuewild).

But you have such a changed entry.

13. CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout
www.gammaconsult.com 0 no CAA entry found 1 0
gammaconsult.com 5 issue letsencrypt.org 1 0
com 0 no CAA entry found 1 0

So it should work. Name servers and DNSSEC is ok, no critical error.

1 Like

Thank you for your explanation, i have added all entries “issue” and “issuewild” for *.gammaconsult.com and for gammaconsult.com. Would you please check again if it work, so I can try to request?

1 Like

Something is resulting in Unbound not receiving the glue records for {ns,ns2}.gammaconsult.com from the gTLD nameservers.

That’s why it hits the SERVFAIL. It runs out of nameservers to query because it doesn’t know how to proceed after getting the referral to ns/ns2.

I’m not sure why. It’s quite bizarre. Can’t reproduce the same behavior with dig.

2 Likes

Oh, curious. My local Unbound works, no problem visible.

Summary

[1597230782] libunbound[17084:0] notice: init module 0: validator
[1597230782] libunbound[17084:0] notice: init module 1: iterator
[1597230782] libunbound[17084:0] info: resolving gammaconsult.com. CAA IN
[1597230782] libunbound[17084:0] info: priming . IN NS
[1597230782] libunbound[17084:0] info: response for . NS IN
[1597230782] libunbound[17084:0] info: reply from <.> 2001:500:a8::e#53
[1597230782] libunbound[17084:0] info: query response was ANSWER
[1597230782] libunbound[17084:0] info: priming successful for . NS IN
[1597230782] libunbound[17084:0] info: response for gammaconsult.com. CAA IN
[1597230782] libunbound[17084:0] info: reply from <.> 2001:500:2d::d#53
[1597230783] libunbound[17084:0] info: query response was REFERRAL
[1597230783] libunbound[17084:0] info: response for gammaconsult.com. CAA IN
[1597230783] libunbound[17084:0] info: reply from <com.> 2001:503:a83e::2:30#53
[1597230783] libunbound[17084:0] info: query response was REFERRAL
[1597230783] libunbound[17084:0] info: response for gammaconsult.com. CAA IN
[1597230783] libunbound[17084:0] info: reply from <gammaconsult.com.> 176.111.52.245#53
[1597230783] libunbound[17084:0] info: query response was ANSWER
[1597230783] libunbound[17084:0] info: prime trust anchor
[1597230783] libunbound[17084:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
[1597230783] libunbound[17084:0] info: resolving . DNSKEY IN
[1597230783] libunbound[17084:0] info: resolving _ta-4a5c-4f66. NULL IN
[1597230783] libunbound[17084:0] info: error sending query to auth server 199.7.83.42 port 53
[1597230783] libunbound[17084:0] info: response for _ta-4a5c-4f66. NULL IN
[1597230783] libunbound[17084:0] info: reply from <.> 199.7.91.13#53
[1597230783] libunbound[17084:0] info: query response was NXDOMAIN ANSWER
[1597230783] libunbound[17084:0] info: response for . DNSKEY IN
[1597230783] libunbound[17084:0] info: reply from <.> 202.12.27.33#53
[1597230783] libunbound[17084:0] info: query response was ANSWER
[1597230783] libunbound[17084:0] info: validate keys with anchor(DS): sec_status_secure
[1597230783] libunbound[17084:0] info: Successfully primed trust anchor . DNSKEY IN
[1597230783] libunbound[17084:0] info: validated DS com. DS IN
[1597230783] libunbound[17084:0] info: resolving com. DNSKEY IN
[1597230783] libunbound[17084:0] info: response for com. DNSKEY IN
[1597230783] libunbound[17084:0] info: reply from <com.> 2001:500:856e::30#53
[1597230783] libunbound[17084:0] info: query response was ANSWER
[1597230783] libunbound[17084:0] info: validated DNSKEY com. DNSKEY IN
[1597230783] libunbound[17084:0] info: validated DS gammaconsult.com. DS IN
[1597230783] libunbound[17084:0] info: resolving gammaconsult.com. DNSKEY IN
[1597230783] libunbound[17084:0] info: response for gammaconsult.com. DNSKEY IN
[1597230783] libunbound[17084:0] info: reply from <gammaconsult.com.> 176.111.52.243#53
[1597230783] libunbound[17084:0] info: query response was ANSWER
[1597230783] libunbound[17084:0] info: validated DNSKEY gammaconsult.com. DNSKEY IN
[1597230783] libunbound[17084:0] info: validate(positive): sec_status_secure
[1597230783] libunbound[17084:0] info: validation success gammaconsult.com. CAA IN
gammaconsult.com. has CAA record 0 issue “letsencrypt.org” (secure)
gammaconsult.com. has CAA record 0 issuewild “letsencrypt.org” (secure)

PS: Ah, I see - Unboundtest has the same error.

1 Like

So does https://letsdebug.net/gammaconsult.com/253082.

Here’s what a normal response from the gTLD nameservers looks like:

Frame 2: 174 bytes on wire (1392 bits), 174 bytes captured (1392 bits) on interface eth0, id 0
Ethernet II, Src: Cisco_0d:97:c1 (84:78:ac:0d:97:c1), Dst: f2:3c:91:a2:6a:56 (f2:3c:91:a2:6a:56)
Internet Protocol Version 6, Src: 2001:503:eea3::30, Dst: 2600:3c03::f03c:91ff:fea2:6a56
User Datagram Protocol, Src Port: 53, Dst Port: 39980
Domain Name System (response)
    Transaction ID: 0x8af6
    Flags: 0x8100 Standard query response, No error
    Questions: 1
    Answer RRs: 0
    Authority RRs: 2
    Additional RRs: 3
    Queries
    Authoritative nameservers
    Additional records
        ns.GAmmaConSult.CoM: type A, class IN, addr 176.111.52.245
        ns2.GAmmaConSult.CoM: type A, class IN, addr 176.111.52.243
        <Root>: type OPT
    [Request In: 1]
    [Time: 0.063429679 seconds]

Here’s what Unbound is receiving:

Frame 89: 541 bytes on wire (4328 bits), 541 bytes captured (4328 bits) on interface eth0, id 0
Ethernet II, Src: Cisco_57:aa:c1 (84:78:ac:57:aa:c1), Dst: f2:3c:91:a2:6a:56 (f2:3c:91:a2:6a:56)
Internet Protocol Version 4, Src: 192.12.94.30, Dst: 172.104.24.29
User Datagram Protocol, Src Port: 53, Dst Port: 35649
Domain Name System (response)
    Transaction ID: 0xe574
    Flags: 0x8010 Standard query response, No error
    Questions: 1
    Answer RRs: 0
    Authority RRs: 7
    Additional RRs: 1
    Queries
    Authoritative nameservers
    Additional records
        <Root>: type OPT
    [Request In: 78]
    [Time: 0.020171440 seconds]

Note the missing 2 additional glue records in the latter packet.

(Some of the other numbers are different because DNSSEC was enabled in one but not the other, but I’ve tried disabling DNSSEC validation and it makes no difference).

1 Like

I don’t understand much :worried: but what you would suggest me to do, to fix this problem?

1 Like

I’m 99% sure this is a truncation/packet size issue.

I think the 4 DS records that the domain has is causing the “Additional” section to go bye-bye.

When I disable do-udp in Unbound, the issue goes away.

@atanas.ag do you really need the 4x DNSSEC setup? Can you use just one key?

2 Likes

Oh, that may be the problem.

Checked with dig and +dnssec:

:~$ dig NS +dnssec gammaconsult.com. @192.41.162.30

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> NS +dnssec gammaconsult.com. @192.41.162.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63964
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;gammaconsult.com. IN NS

;; AUTHORITY SECTION:
gammaconsult.com. 172800 IN NS ns.gammaconsult.com.
gammaconsult.com. 172800 IN NS ns2.gammaconsult.com.
gammaconsult.com. 86400 IN DS 25387 8 2 38C33D240EA51465943DA3755206C2E7ED6839A0CF3E996E6C61CA2E C39C6606
gammaconsult.com. 86400 IN DS 54647 8 4 9B2A7903B6C12B5A2BEE4416A494F76B82C3C9F840755AECA4692D86 E8664BF176E614048F9BDA497E270C8689C36E47
gammaconsult.com. 86400 IN DS 54647 8 2 538C3DB96688AE336E40A351BCD2477001F2DF140F8462C690757B3B A790DDB0
gammaconsult.com. 86400 IN DS 25387 8 4 3C5D6F4DDFFB2C87EA8C7013A732F8B036BEF6B2EA35C3311BAE0880 E29327837CB54FD919B872EC42D0000049EBFB8D
gammaconsult.com. 86400 IN RRSIG DS 8 2 86400 20200819062336 20200812051336 24966 com. uP6SAqo7+ujKr0JEQikHQLjKsQjejSSPBNwmUgWSdEzkw6jJJSpfeGUK PlWZ0QOfXTuYAsE2sZLQS5vcpAV0BH1kPd7
QMTL8m4NK7es2QJR+R3Rq ePH2KA18inn0GdbzB0D+1MScSEh8BkdB+AByKfG0jiY0MVXBJOwaNXyz GzO/q2mMJzjJ/dhG24eE06LQaDGOkLhepdPlKlc7oi9pDA==

;; ADDITIONAL SECTION:
ns.gammaconsult.com. 172800 IN A 176.111.52.245
ns2.gammaconsult.com. 172800 IN A 176.111.52.243

;; Query time: 32 msec
;; SERVER: 192.41.162.30#53(192.41.162.30)
;; WHEN: Wed Aug 12 13:28:45 CEST 2020
;; MSG SIZE rcvd: 531

Looks like the message is too large.

@atanas.ag : There are 4 DS records. Normally, only one is expeced, max. 2.

So the message is too big.

PS:

I think the 4 DS records that the domain has is causing the “Additional” section to go bye-bye.

Yep, same idea. So the additional part is removed.

2 Likes

Should i wait for something or need to change something in my DNS config or router config?

It’s your DNS config.

You have DNSSEC setup at your domain registrar and your DNS host, which is fine.

Only problem is, at your domain registrar (web.com I think), you have DNSSEC setup 4 times - 4 different keys. This is causing problems for Let’s Encrypt’s resolver.

You are probably only using one of the DNSSEC keys. You should delete the 3 you are not using.

1 Like

Your dnssec has too much.

Public Key with Algorithm 8, KeyTag 7948, Flags 256
Public Key with Algorithm 8, KeyTag 25387, Flags 257 (SEP = Secure Entry Point)
Public Key with Algorithm 8, KeyTag 54647, Flags 257 (SEP = Secure Entry Point)
Public Key with Algorithm 8, KeyTag 57099, Flags 256

Two SEP, looks like a key rotation. But nobody knows what’s the old and what’s the new key.

And nobody knows when you have added the new. So if it is possible to remove the old.

Result: The parent zone has 4 DS:

  • DS with Algorithm 8, KeyTag 25387, DigestType 2 and Digest OMM9JA6lFGWUPaN1UgbC5+1oOaDPPplubGHKLsOcZgY=
  • DS with Algorithm 8, KeyTag 25387, DigestType 4 and Digest PF1vTd/7LIfqjHATpzL4sDa+9rLqNcMxG64IgOKTJ4N8tU/ZGbhy7ELQAABJ6/uN
  • DS with Algorithm 8, KeyTag 54647, DigestType 2 and Digest U4w9uWaIrjNuQKNRvNJHcAHy3xQPhGLGkHV7O6eQ3bA=
  • DS with Algorithm 8, KeyTag 54647, DigestType 4 and Digest myp5A7bBK1or7kQWpJT3a4LDyfhAdVrspGkthuhmS/F25hQEj5vaSX4nDIaJw25H

Two per key, with DigestType 2 and DigestType 4. Normally, one DigestType 2 should be enough.

1 Like

In my config I have 2 keys for reverse zone and 2 keys for the domain. Now Ihave deleted 1 key of a kind so is this will work or i need to do with my registar too?

1 Like

I don’t know. Never managed own name servers, too complicated. If you use your own name servers, you know what you have to do.

Check the parent zone DS with dig. If there are 4 DS, that’s too much.

Checked my own domain. Only one DS, size of 282.

1 Like

I’ve tried to remove these extra keys but on WIndows DNS Server it is not possible to have less than 3 keys - 2 keys are active and one is standby. I already wrote to my registrar to change DS keys on .com zone for my domain and will check again tomorrow to see what will happen.

1 Like

Isn’t it the job of your dns server to update the parent zone?

Checked one of my name servers with DNSSEC:

:~$ dig NS +dnssec ns4.inwx.com. @192.41.162.30

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> NS +dnssec ns4.inwx.com. @192.41.162.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5213
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 13
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ns4.inwx.com. IN NS

;; AUTHORITY SECTION:
inwx.com. 172800 IN NS damon.ns.cloudflare.com.
inwx.com. 172800 IN NS dell.ns.cloudflare.com.
inwx.com. 86400 IN DS 2371 13 2 2C89F04E9BD72F81C6F9F03ADBD964986843E778EE9D088AF9832711 CE17031B
inwx.com. 86400 IN RRSIG DS 8 2 86400 20200816042336 20200809031336 24966 com. GISsJ7uGSLRYMUM+tU3UyZCxaJePu89PY7SYDAPdwhAthWVVLdTyt4Zc f/LSOeNyy+5xOJe2VUdoCZykMofSSiFp1gJ
0vhminnvxML82TEAIydNP T30X1iPdDEqj9FKibx0kTrBY8GzQ94omKf9KdMGfoJRAdgbyS0yP0psF qlWdLPplKvLh37DSojpwa7VYQaPGFYr55Boy+zBUrWgCxQ==

There is only a DS with DigestType 2, not 4.

So the two values DigestType 2 and 4 may be created from your system.

So you should be able to remove the DigestType 4. Then you have only 2 DS.

1 Like

OK, but now i recieve another error: NS problem: SERVFAIL looking up TXT for _acme-challenge.gammaconsult.com - the domain’s nameservers may be malfunctioning

I’m totally confused what is going on now because this client automatically creates DNS TXT records?!

1 Like

That’s expected. Now you have created the next mess - https://check-your-website.server-daten.de/?q=gammaconsult.com

Now your DNSSEC is broken.

Please switch to a working DNS provider instead of using a wrong configured own dns server.

1 Like

Shure, I need to have own DNS server for other reasons, I’ll wait DNSSEC to be fixed until tomorrow and will write if this not work. Thank you very much for your help!

1 Like

@JuergenAuer Hello, thank you very much for pointing me in a right direction to resolve my issue with cert renewal. After I have reduced DNSKEYS keys to 2 through our registar i’m able to generate new certs! Thanks again! :beers: :beers: :beers: :beers: