DNS Server Does Not Support echo capitalization - Boulder Unable to Resolve IP

sahsanu · May 3, 2017, 2:56pm

Did you change the dns servers used since the last issued certificate?.

If the answer is no, that is very strange, if the answer is yes could be because your dns servers doesn’t answer in a case sensitive way to the dns questions.

I mean, Let’s Encrypt boulder tries to resolve your domain but capitalizing some random letters, instead of static.orzorc.space it will try something like sTtatiC.orZOrc.SpAce and your dns servers should answer to that question and the answer should provide the same name.

What boulder expects (pay attention to QUESTION and ANSWER sections):

$ dig @ns1.oray.net sTatiC.ORzorc.sPAce

; <<>> DiG 9.9.7 <<>> @ns1.oray.net sTatiC.ORzorc.sPAce
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59998
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;sTatiC.ORzorc.sPAce.           IN      A

;; ANSWER SECTION:
sTatiC.ORzorc.sPAce.    60      IN      A       119.131.107.26

;; Query time: 437 msec
;; SERVER: 115.29.234.127#53(115.29.234.127)
;; WHEN: mi. may. 03 16:38:04 RDT 2017
;; MSG SIZE  rcvd: 53

What your dns servers answer:

$ dig @ns1.oray.net sTatiC.ORzorc.sPAce

; <<>> DiG 9.9.7 <<>> @ns1.oray.net sTatiC.ORzorc.sPAce
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59998
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;static.orzorc.space.           IN      A

;; ANSWER SECTION:
static.orzorc.space.    60      IN      A       119.131.107.26

;; Query time: 437 msec
;; SERVER: 115.29.234.127#53(115.29.234.127)
;; WHEN: mi. may. 03 16:38:04 RDT 2017
;; MSG SIZE  rcvd: 53

Also, your servers don’t answer to TCP queries:

$ dig @ns1.oray.net sTatiC.ORzorc.sPAce +tcp

; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> @ns1.oray.net sTatiC.ORzorc.sPAce +tcp
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

And one of the ips of ns2.oray.net times out randomly (at least from my side):

$ dig @103.44.145.243 sTatiC.ORzorc.sPAce

; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> @103.44.145.243 sTatiC.ORzorc.sPAce
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

I don’t know if any of these issues is the root cause of your problem, maybe @jsha or @cpu could check what is the actual problem but seems your DNS servers are not working pretty fine.

Cheers,
sahsanu

Topic		Replies	Views
Domain resolving fails but works elsewhere Help	22	1725	December 4, 2019
Letsencrypt No valid IP found Help	3	1843	March 10, 2018
Boulder use custom DNS resolver Issuance Tech	4	739	June 20, 2023
Boulder-ra grpc: failed dns TXT record lookup due to lookup _grpc_config.ca.boulder on 127.0.0.11:53: server misbehaving Help	4	1535	July 10, 2019
The server could not resolve a domain name :: No valid IP addresses found for hk.51zcd.com Server	4	7977	December 7, 2016

DNS Server Does Not Support echo capitalization - Boulder Unable to Resolve IP

Related topics