Error message after renew existed ssl certificatioin

Hi,

We got the error message after running renew procedure(we replace real domain name with abc.xyz.com.tw)

Domain: abc.xyz.com.tw
Type: connection
Detail: DNS problem: query timed out looking up CAA for abc.xyz.com.tw

So, we run the command manually
dig -t type257 abc.xyz.com.tw

; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t type257 abc.xyz.com.tw
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46605
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;abc.xyz.com.tw. IN CAA

;; Query time: 2041 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jan 11 11:22:33 CST 2017
;; MSG SIZE rcvd: 48

We see the message “status: SERVFAIL” after running dig command and is that the reason why DNS problem occurs?

Or is any way to workaround this?

Thanks in advance.

Both SERVFAIL as well as a timeout during the CAA query would cause an error.

There’s not really a workaround, other than making sure your authoritative name servers give a valid response. You don’t need a CAA record or even a DNS server with real CAA support, an empty response is just fine. It can’t be something like SERVFAIL (or just a timeout). If Let’s Encrypt were to accept CAA timeouts as a valid response, there would not be much point in enforcing CAA at all (that opens up a way to bypass it via DoS attacks).

If you’re running your own DNS servers, an updated version of your DNS server software that doesn’t misbehave when faced with a CAA query might be available. If you’re using a third-party DNS provider, you’d have to ask them if that’s something they can fix or potentially switch to a different one.

2 Likes

Hi

OK. We understood and will check what you mention.
Thanks for your help.

Always use a DNS propagation checker to make sure your DNS is correct and also propagated

Also use this tool to thoroughly analyze your DNS

Thanks for your suggestion.

We use dig command to check that with different type.
dig xxx.com.tw ->status: NOERROR
dig -t soa xxx.com.tw -> status: NOERROR
but
dig -t type257 xxx.com.tw -> status: SERVFAIL

so we guess this may cause by SERVFAIL, but not very sure. We may check that with the website you mentioned.

1 Like

A dig right now from South Africa gave

; <<>> DiG 9.8.3-P1 <<>> xxx.com.tw
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6718
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;xxx.com.tw. IN A

;; ANSWER SECTION:
xxx.com.tw. 599 IN A 185.53.178.8

;; Query time: 307 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 12 12:16:37 2017
;; MSG SIZE rcvd: 44

and dns propagation checker all looks good now

Hi,

it’s ok in looking up A record, but it always return “status: SERVFAIL” in looking up CAA.
Our customer will ask their DNS provider to check that.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.