DNSSEC: Bogus: validation failure

I am trying to get a TLS certificate for kdgregoryart.bedeckers.com. I have had the owner of the domain follow a lot of the steps from DNSSEC Errors and random Cloudflare IPs? - #2 by petercooperjr. Despite adding a CAA record and toggling the DNSSEC on the account with Bluehost, I am unable to pass the http-01 challenge. The domain had a certificate continuously from June 2022 until June 30th when it expired because we could not renew. Any help here would be greatly appreciated.

Our custom client returned the following error as of a few moments ago:
{ "type": "urn:ietf:params:acme:error:dns", "detail": "DNS problem: looking up CAA for kdgregoryart.bedeckers.com: DNSSEC: Bogus: validation failure <kdgregoryart.bedeckers.com. CAA IN>: nodata proof failed from 162.159.25.175", "subproblems": [] }

So I ran:
dig @162.159.25.175 kdgregoryart.bedeckers.com caa

The output is:
`
; <<>> DiG 9.10.6 <<>> @162.159.25.175 kdgregoryart.bedeckers.com caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33893
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;kdgregoryart.bedeckers.com. IN CAA

;; AUTHORITY SECTION:
bedeckers.com. 3600 IN SOA NS1.BLUEHOST.com. root.BLUEHOST.com. 124091012 10800 3600 604800 3600

;; Query time: 61 msec
;; SERVER: 162.159.25.175#53(162.159.25.175)
;; WHEN: Wed Sep 11 07:11:43 MST 2024
;; MSG SIZE rcvd: 109
`

Definitely seems like something weird with your DNSSEC:

https://dnsviz.net/d/kdgregoryart.bedeckers.com/dnssec/?rr=1&rr=28&rr=257&a=all&ds=all&doe=on&ta=.&tk=

It's getting beyond my expertise, but I think it's trying to say that the name doesn't exist at all when asked about records (like AAAA and CAA) which should be empty, even though the name exists. What DNS server software is the domain using?

In fact the opposite (if I understand you correctly). See the following explanation from DNSViz:

NSEC proving non-existence of kdgregoryart.bedeckers.com/CAA: The following queries resulted in an answer response, even though the NSEC records indicate that the queried names don't exist: kdgregoryart.bedeckers.com/A See RFC 4035, Sec. 3.1.3.2.

The contents of the NSEC RR is:

image1239×244 42.6 KB

(Impossible to copy/paste this popup part of DNSViz unfortunately )

Notice the value of the "NSEC" part: it's only a NSEC RR for the apex domain bedeckers.com. Apparently (NSEC isn't my speciality too) this is only valid if the requested hostname kdgregoryart.bedeckers.com does not exist. But it does exist, because there's an A RR. Thus the NSEC RR is invalid which makes the DNSSEC validity bogus.

Additional info from the mentioned RFC 4035, section 3.1.3.1:

If the zone contains RRsets matching <SNAME, SCLASS> but contains no RRset matching <SNAME, SCLASS, STYPE>, then the name server MUST include the NSEC RR for <SNAME, SCLASS> along with its associated RRSIG RR(s) in the Authority section of the response (see Section 3.1.1).

OP should request their DNS service provider to fix the NSEC RR(s).

Unfortunately, I don't know. The customer is hosted through Bluehost so I will have them reach out again.

Thank you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.