DNSSEC with own SOA and acme2

rag · 2018-12-16 14:06:12 UTC

I have 3 domains.
All three have their own zone for challenge.

zone _acme-challenge.example.net SOA IN SOA ns1.systron.de. info.systron.de. (
zone _acme-challenge.example.com SOA IN SOA ns1.systron.de. info.systron.de. (
zone _acme-challenge.systron.de SOA IN SOA ns1.systron.de. info.systron.de. (

systron.de has DNSSEC.

letsencrypt renewing works for example.net and example.com,
but not for systron.de.

letsdebug.net for systron.de shows me:

DNS response for _acme-challenge.systron.de had fatal DNSSEC issues: validation
failure <_acme-challenge.systron.de. TXT IN>: no signatures from 46.237.197.205

I like the way of seperating the zone in static and dynamic part.

Is there a solution for keeping my separation?

JuergenAuer · 2018-12-16 16:04:02 UTC

Hi @rag

looks like the problem is solved. Letsdebug is green, same there:

https://dnssec-analyzer.verisignlabs.com/systron.de

rag · 2018-12-16 16:19:48 UTC

Letsdebug is red.

TXTRecordError
Fatal

An error occurred while attempting to lookup the TXT record on _acme-challenge.systron.de . Any resolver errors that the Let’s Encrypt CA encounters on this record will cause certificate issuance to fail.

DNS response for _acme-challenge.systron.de had fatal DNSSEC issues: validation failure <_acme-challenge.systron.de. TXT IN>: no signatures from 46.237.197.205

JuergenAuer · 2018-12-16 16:26:27 UTC

Ok, I’ve used the wrong validation method. But if you use DNSSEC, then fix these errors:

https://dnssec-analyzer.verisignlabs.com/_acme-challenge.systron.de

_acme-challenge.systron.de
	No DS records found for _acme-challenge.systron.de in the systron.de zone
	No DNSKEY records found
	No NSEC records in response
	No RRSIGs found

rag · 2018-12-16 16:45:34 UTC

Why do Letsencrypt check domains on DNSSEC?

JuergenAuer · 2018-12-16 16:54:26 UTC

Because the domain owner wants this.

Are you the domain owner of systron.de? Or why isn’t it possible to add the required records?

schoen · 2018-12-16 18:46:06 UTC

Exactly. For certificate authorities, not issuing certificates that shouldn’t be issued is even more important than issuing certificates that should be issued. (That’s ultimately what makes the certificates useful to the end users who visit sites.) So Let’s Encrypt wants to use every source of information that can be checked automatically by machine that might help confirm whether the domain owner agrees with each certificate issuance request. DNSSEC is one source of information that can help confirm this, and in some cases help prevent the issuance of certificates that the domain owner didn’t want.

rag · 2019-01-01 13:30:15 UTC

I solved it. There are misconfigurations in my DNSSEC.
Thanks.

JuergenAuer · 2019-01-01 13:35:49 UTC

Yep. Now your DNSSEC - configuration looks good.