DNSSEC Errors and random Cloudflare IPs?

My domain is: www.clevelanddesign.com

I ran this command: unknown

It produced this output: unknown

My web server is (include version): unknown

The operating system my web server runs on is (include version): unknown

My hosting provider, if applicable, is: Pantheon

I can login to a root shell on my machine (yes or no, or I don't know): No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes - Pantheon proprietary

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): unknown

I am trying to figure out, with very limited DNS/certification knowledge, why Pantheon has been able to certify for clevelanddesign.com but not www.clevelanddesign.com

NetSol is authoritative for DNS.

LetsDebug reports this:

DNSLookupFailed
FATAL
A fatal issue occurred during the DNS lookup process for www.clevelanddesign.com/CAA.
DNS response for www.clevelanddesign.com had fatal DNSSEC issues: validation failure <www.clevelanddesign.com. CAA IN>: nodata proof failed from 162.159.27.146 and 162.159.27.146

However, it seems that both of those IPs are CloudFlare, which the site does not use.

DNSViz only shows warnings www.clevelanddesign.com | DNSViz

The error in our logs when trying to verify www.clevelanddesign.com:

acme: authorization error for www.clevelanddesign.com: 400 urn:ietf:params:acme:error:dns: DNS problem: SERVFAIL looking up CAA for www.clevelanddesign.com - the domain's nameservers may be malfunctioning

dig caa clevelanddesign.com:

dig caa clevelanddesign.com

; <<>> DiG 9.10.6 <<>> caa clevelanddesign.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16171
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;clevelanddesign.com.		IN	CAA

;; ANSWER SECTION:
clevelanddesign.com.	2886	IN	CAA	0 issue "letsencrypt.org"

;; AUTHORITY SECTION:
clevelanddesign.com.	9341	IN	NS	ns34.worldnic.com.
clevelanddesign.com.	9341	IN	NS	ns33.worldnic.com.

;; ADDITIONAL SECTION:
ns33.worldnic.com.	9341	IN	A	162.159.26.212
ns34.worldnic.com.	9341	IN	A	162.159.27.146

;; Query time: 8 msec
;; SERVER: 192.168.245.18#53(192.168.245.18)
;; WHEN: Thu Nov 11 10:21:47 PST 2021
;; MSG SIZE  rcvd: 161

dig caa www.clevelanddesign.com

; <<>> DiG 9.10.6 <<>> caa www.clevelanddesign.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4917
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.clevelanddesign.com.	IN	CAA

;; AUTHORITY SECTION:
clevelanddesign.com.	3600	IN	SOA	NS33.WORLDNIC.com. namehost.WORLDNIC.com. 121110815 10800 3600 604800 3600

;; Query time: 82 msec
;; SERVER: 192.168.245.18#53(192.168.245.18)
;; WHEN: Thu Nov 11 10:23:08 PST 2021
;; MSG SIZE  rcvd: 111

I would be so grateful for guidance as far as what to try next, or where to look. Thank you!

2 Likes

DNSViz only checks CAA records if you go into the advanced options to ask it to, which is a bit annoying when diagnosing this sort of thing.

https://dnsviz.net/d/www.clevelanddesign.com/dnssec/?rr=257&a=all&ds=all&ta=.&tk=

  • NSEC proving non-existence of www.clevelanddesign.com/CAA: No NSEC RR matches the SNAME (www.clevelanddesign.com).
  • NSEC proving non-existence of www.clevelanddesign.com/CAA: No NSEC RR matches the SNAME (www.clevelanddesign.com).
  • NSEC proving non-existence of www.clevelanddesign.com/CAA: The following queries resulted in an answer response, even though the NSEC records indicate that the queried names don't exist: www.clevelanddesign.com/AAAA, www.clevelanddesign.com/A
  • NSEC proving non-existence of www.clevelanddesign.com/CAA: The following queries resulted in an answer response, even though the NSEC records indicate that the queried names don't exist: www.clevelanddesign.com/AAAA, www.clevelanddesign.com/A

That's not what I see, using a DNSSEC-validating resolver:

$ dig caa www.clevelanddesign.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> caa www.clevelanddesign.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1661
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.clevelanddesign.com.       IN      CAA

;; Query time: 163 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Thu Nov 11 18:27:20 UTC 2021
;; MSG SIZE  rcvd: 52

Another tool you can check is unboundtest, which uses the same DNS server settings as Let's Encrypt (and so is also showing the SERVFAIL):

https://unboundtest.com/m/CAA/www.clevelanddesign.com/4LEUY43Z


The short of it seems to be that your DNS server isn't handling the lack of a CAA record for www.clevelanddesign.com correctly. There's not a whole lot that you can do; as your DNS provider needs to be the ones to fix it. It's possible that you could work around their bug if you add a CAA record for www.clevelanddesign.com (in addition to your existing one for clevelanddesign.com). You might also try disabling and re-enabling DNSSEC with your DNS provider, if that's an easy thing to do with their platform.

And thanks for providing so much detail! It makes these kinds of things much easier to look into.

2 Likes

I agree; Something is a bit squirrely with your DNS Service Provider (DSP) and their nonexistent CAA replies.

You could also try adding a wildcard record with the CAA information.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.