Failing DNS resolution

igoratencompass · June 20, 2020, 6:37am

I ran this command: letsencrypt-auto certonly --no-bootstrap --no-self-upgrade --standalone --renew-by-default

It produced this output:

   Domain: icicimov.com
   Type:   dns
   Detail: DNS problem: query timed out looking up A for icicimov.com

My web server is (include version): apache2 2.4.43-1+ubuntu16.04.1+deb.s

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Crazy Domains

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.5.0

Hi, noticed upon my last certificate renewal that I have problem related to DNS as per the message sent by the LE server above. Not sure what to make of it since I can resolve my domain name fine (and all other subdomains i the certificate SAN) which I confirmed with multiple tools and multiple locations around the globe.

This is the error from my last attempt:

2020-06-20 16:16:22,952:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 20 Jun 2020 06:16:22 GMT
Content-Type: application/json
Content-Length: 543
Connection: keep-alive
Boulder-Requester: 13965077
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101ujh-iVAvQI95mWSxsds7VEfJKuZsnao5LdUvcsLjjH8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "icicimov.com"
  },
  "status": "invalid",
  "expires": "2020-06-27T06:15:49Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: query timed out looking up A for icicimov.com",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/5358235579/6B5JuQ",
      "token": "O7-bhjHfISMVXBMrYRsGYjFQ_aFMpvpTQ7vnGvwLoI4"
    }
  ]
}

I have a self hosted named and the same configuration has ran without changes for years, except for software version updates of course. Any idea what can be the problem exactly?

Thanks

_az · June 20, 2020, 6:55am

Your nameservers have link-local IPv6 addresses. That could have something to do with it. Let’s Encrypt’s resolvers might actually be trying to communicate with them.

$ dig +noall +answer ns1.icicimov.com aaaa
ns1.icicimov.com.       86123   IN      AAAA    fe80::21d:aaff:fe8f:4334

$ dig +noall +answer ns2.icicimov.com aaaa
ns2.icicimov.com.       86121   IN      AAAA    fe80::21d:aaff:fe8f:4334

Edit: On the other hand, Unbound should already be sanitizing these automatically, so it’s unlikely to be the cause of the timeout.

Requests to the production API are producing SERVFAILs rather than timeouts for me. Those are likely caused by your DNSSEC problem.

JuergenAuer · June 20, 2020, 7:03am

Hi @igoratencompass

there are older checks of your domain (without wrong link-local ipv6), now checked - DNSSEC is broken - https://check-your-website.server-daten.de/?q=icicimov.com

A check created yesterday 19.06.2020 14:38:26 without link-local has the same.

Fatal error: Parent zone has a signed DS RR (Algorithm 8, KeyTag 40534, DigestType 1, Digest Oz/X2+zNJTXBQ9J2Rzfzk588tdo=), but the destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set. No chain of trust created.

Fatal error: Parent zone has a signed DS RR (Algorithm 8, KeyTag 40534, DigestType 2, Digest wmYK6lTQFcd6dbl9rmim19A3VssUfW+hnf6HPuKsn3E=), but the destination DNSKEY doesn't exist or doesn't validate the DNSKEY RR set. No chain of trust created.

Same with Unboundtest - https://unboundtest.com/m/CAA/icicimov.com/OKTZXQPD - Timeouts.

Error running query: read udp 127.0.0.1:60764->127.0.0.1:1053: i/o timeout

With DNSSEC, no DNSKEY can be found, but a DS in the parent zone exists -> DNSSEC is broken -> you can't create a certificate.

First step: Fix your connection problems.

igoratencompass · June 20, 2020, 12:09pm

Thanks guys, I made sure no bogus IPV6 records are present in the zone. Unfortunately the TTL is 2 days so will have to wait. Except if there is an option to tell LE to use A instead of AAAA records?

On the other hand I don’t get it how can this be the problem when the error says DNS query timeout looking up A RR and not AAAA?

About the DNSSEC problem, I’m not sure I understand the error. I haven’t touched the DNSSEC setup since 2016 so not sure what might have changed. For sure the zone has the key:

$ dig @8.8.8.8 DNSKEY icicimov.com +dnssec +nostats +noadditional +nocomments +noquestion +nocmd +multiline

; (1 server found)
;; global options: +cmd
icicimov.com.		21599 IN DNSKEY	257 3 8 (
				AwEAAdwW7qZK1jq0J5ARWW+Tmtn6o8np8QTqNesfj7kp
				SrDEEBzIaJY2YeWjpZ+k8LUzEAIt4I/OhAIlQUbqPZ23
				y2uo8GKmMdR6BDdHQX7Nmm31sfR2vm8pCFmMvBvbK3do
				PmgS5UTOhkC5iATzJt8hmrnzl2eKuFJgHRa2IU9z35b6
				WZXOjIFpvKPHGKW1lO5bkgFTY2EZo+0xWQgNI3OgyvBm
				C2qvoHcegpaI5eimPlj9RLFm4Uw6PsBqb+I3wK7lo9Lt
				hqwsqbgtrNACgObSFrb2XLjS8PCLE64hiHWeP2gCDvKm
				c4aWjEWBJK/Cjs4j45xEYUl0fbSclkrTfoOKIwc=
				) ; KSK; alg = RSASHA256; key id = 40534
icicimov.com.		21599 IN DNSKEY	256 3 8 (
				AwEAAdcf6S2EjIx8wCLx5IhEc/MHnG+FyIP0qJhFzN48
				Ap53L4rFx2ly+fcvL4yvx6crOvVV8jLCTU69FC0MLAV7
				XUNd0X6/XSh5YaTy9NfXOGUcLZVs+QDRy/bZ82SBqzqm
				A5Lp1Uv7Dp7UKAWSgczU1PO6fH5gj4bPTFoJDi2ilFWj
				) ; ZSK; alg = RSASHA256; key id = 21633
icicimov.com.		21599 IN RRSIG DNSKEY 8 2 259200 (
				20200711110140 20200620100140 40534 icicimov.com.
				icyK6Y7PdJYzshY7RMmdBa1MoEu7KM9qVCC0SkqZd4m0
				q30hjMzL/uHZ8+djpVBXz4hCWh1svx11W5b2Xv7TPgyr
				vqCNFnG1DfH140pg5+APN4KocBeIWdDNuEJ3Gdq+0KJo
				P+kRIjg6oKKzTc3gdCpWIyTBgVaN9gJL/4ecUK58esRk
				A2Pt29DSP2vcat0G8DzjAmg56XOfaagp8vfS/fFDs6fq
				uckiNS2qyVw9F185pRNhBV3RWJ2ZM3D5umd2XG1tja6L
				cGkfVlqCxyVkv1u15N7Cf1luHio3RH0kWLsnXDThbeZZ
				+rvaHKadeWeo6sco1N5f89iszcxMSSQn7A== )

And if I compare the DS RR for my domain:

$ dig @8.8.8.8 DNSKEY icicimov.com | dnssec-dsfromkey -f - -2 icicimov.com
icicimov.com. IN DS 40534 8 2 C2660AEA54D015C77A75B97DAE68A6D7D03756CB147D6FA19DFE873EE2AC9F71

With the DS I extract from my dnskey:

# dnssec-dsfromkey <path-to-my-dns-key-id-40534>
icicimov.com. IN DS 40534 8 2 C2660AEA54D015C77A75B97DAE68A6D7D03756CB147D6FA19DFE873EE2AC9F71

we can see they are identical.

JuergenAuer · June 20, 2020, 12:44pm

That's not the problem, there are connection problems.

Rechecked with https://check-your-website.server-daten.de/?q=icicimov.com - no DNSKEYs found.

Unboundtest has different Servfails https://unboundtest.com/m/A/icicimov.com/LEHRUMT5

Checked manual - via UDP DNSKEY query works. Via TCP there is a refused answer.

That's fatal, authoritative name servers must answer via UDP and TCP / 53.

May be a local firewall, may be your provider blocks TCP Port 53.

PS: The refused answer comes from your server, doesn't look like a provider problem.

igoratencompass · June 20, 2020, 3:08pm

You are right, fixed now. But still the dns server (bind) not responding to tcp queries and I have no idea why. Thanks for your support though.

igoratencompass · June 20, 2020, 3:27pm

All fixed now, thanks again.

system · July 20, 2020, 3:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.