Error message after renew existed ssl certificatioin

barsara · January 11, 2017, 3:32am

Hi,

We got the error message after running renew procedure(we replace real domain name with abc.xyz.com.tw)

Domain: abc.xyz.com.tw
Type: connection
Detail: DNS problem: query timed out looking up CAA for abc.xyz.com.tw

So, we run the command manually
dig -t type257 abc.xyz.com.tw

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t type257 abc.xyz.com.tw
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46605
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;abc.xyz.com.tw. IN CAA

;; Query time: 2041 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jan 11 11:22:33 CST 2017
;; MSG SIZE rcvd: 48

We see the message “status: SERVFAIL” after running dig command and is that the reason why DNS problem occurs?

Or is any way to workaround this?

Thanks in advance.

pfg · January 11, 2017, 3:46am

Both SERVFAIL as well as a timeout during the CAA query would cause an error.

There’s not really a workaround, other than making sure your authoritative name servers give a valid response. You don’t need a CAA record or even a DNS server with real CAA support, an empty response is just fine. It can’t be something like SERVFAIL (or just a timeout). If Let’s Encrypt were to accept CAA timeouts as a valid response, there would not be much point in enforcing CAA at all (that opens up a way to bypass it via DoS attacks).

If you’re running your own DNS servers, an updated version of your DNS server software that doesn’t misbehave when faced with a CAA query might be available. If you’re using a third-party DNS provider, you’d have to ask them if that’s something they can fix or potentially switch to a different one.

barsara · January 11, 2017, 4:10am

Hi

OK. We understood and will check what you mention.
Thanks for your help.

MitchellK · January 11, 2017, 1:38pm

Always use a DNS propagation checker to make sure your DNS is correct and also propagated

Also use this tool to thoroughly analyze your DNS

barsara · January 12, 2017, 10:15am

Thanks for your suggestion.

We use dig command to check that with different type.
dig xxx.com.tw ->status: NOERROR
dig -t soa xxx.com.tw -> status: NOERROR
but
dig -t type257 xxx.com.tw -> status: SERVFAIL

so we guess this may cause by SERVFAIL, but not very sure. We may check that with the website you mentioned.

MitchellK · January 12, 2017, 10:19am

A dig right now from South Africa gave

; <<>> DiG 9.8.3-P1 <<>> xxx.com.tw
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6718
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xxx.com.tw. IN A

;; ANSWER SECTION:
xxx.com.tw. 599 IN A 185.53.178.8

;; Query time: 307 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 12 12:16:37 2017
;; MSG SIZE rcvd: 44

and dns propagation checker all looks good now

barsara · January 16, 2017, 9:49am

Hi,

it’s ok in looking up A record, but it always return “status: SERVFAIL” in looking up CAA.
Our customer will ask their DNS provider to check that.

system · February 15, 2017, 9:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.