Failed renewal [Solved: DNSSEC problem]


#1

Hi;

Since few months my domain jodumont.com
he unable to receive, renew, is let’s encrypt.

subdomain.jodumont.com works perfectly and others domain.tld on the same server works fine too

The errors since 6-8 weeks still always the same : Error: DNS problem: SERVFAIL looking up A for jodumont.com
my @.jodumont.com point obviouly on the right IP
my NGINX respond fine on HTTP

like few posts I wait few days to be sure, few weeks
But now I come on the forum to try to understand what really happen with hope of fixing it

What I should do and where I should look ?


#2

The domain has a DNSSEC configuration issue, breaking it for many resolvers, including Google Public DNS and the Let’s Encrypt validation system.

http://dnsviz.net/d/jodumont.com/dnssec/

The domain has DS records set at the registrar (Namecheap), but the current DNS servers (also Namecheap) don’t sign the zone.

Going by the algorithm in the DS records, perhaps the domain previously used Cloudflare’s DNS service? Namecheap’s DNS service actually does support DNSSEC* but i’ve only seen them use a different algorithm.

You’ll need to go to the Namecheap control panel and delete the DS records. It’s possible it won’t let you – using their DNS service tends to reduce your direct access to the low level settings – and you’ll have to contact their customer service.

You might want to enable their DNSSEC service too, but it may not work, and the old DS records still have to be removed regardless.

* Partly. I haven’t seen it work all the way.

Edit: Sometimes Namecheap does get DNSSEC right.


#3

DNSSec comes from name.com
I transfert the domain from name.com to namecheap.com
with name.com I was using cloudflare but I stop, at least 3months ago. :wink:

I’ll your recommandation with namecheap and come back !!
Thank!


#4

Wouah!
Thank you so much to took the time to really looks into my DNS and give me this awesome answer. :slight_smile:


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.