Failed by dns servfail?

swigger · August 19, 2017, 5:59am

certbot reports:

Failed authorization procedure. dj360.com.cn (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for dj360.com.cn

however, it resolves.
$ nslookup dj360.com.cn 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: dj360.com.cn
Address: 125.88.145.61

mnordhoff · August 19, 2017, 7:09am

Let’s Encrypt’s resolver uses 0x20 randomization – in other words, it sends queries with rAndOm CApiTalizATIon to improve security by making it harder to forge accurate responses. Among other issues, the zone’s authoritative nameservers do not properly support that, responding in lowercase, and the resolver rejects all of the responses and eventually fails.

https://unboundtest.com/m/A/dj360.com.cn/CY3VD33D

Compare

$ digr Dj360.CoM.Cn @121.14.154.236

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse Dj360.CoM.Cn @121.14.154.236
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34156
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;dj360.com.cn.                  IN      A

;; ANSWER SECTION:
dj360.com.cn.           600     IN      A       125.88.145.61

;; AUTHORITY SECTION:
dj360.com.cn.           3600    IN      NS      v1.dns.com.
dj360.com.cn.           3600    IN      NS      v2.dns.com.

;; Query time: 213 msec
;; SERVER: 121.14.154.236#53(121.14.154.236)
;; WHEN: Sat Aug 19 07:06:14 UTC 2017
;; MSG SIZE  rcvd: 94

and, for example,

$ digr LetSenCrypT.OrG @a20-66.akam.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse LetSenCrypT.OrG @a20-66.akam.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4158
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;LetSenCrypT.OrG.               IN      A

;; ANSWER SECTION:
LetSenCrypT.OrG.        30      IN      A       172.226.73.16

;; Query time: 27 msec
;; SERVER: 2a02:26f0:67::42#53(2a02:26f0:67::42)
;; WHEN: Sat Aug 19 07:06:49 UTC 2017
;; MSG SIZE  rcvd: 60

I don’t know if Let’s Encrypt is willing to whitelist around this.

You may want, or need, to switch DNS providers.

system · September 18, 2017, 7:09am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.