We were looking into using Letsencrypt certificates for some of our web services, however our infrastructure setup seems to have turned out to be somewhat special, so we seem not to be able to get around the ominous “DNS problem: query timed out looking up CAA” error. Now, the short question is whether there is any way to pass the validation, without changing our redundancy setup/infrastructure/software:
We have a firewall which has a “ISP provider redundancy” feature which is DNS based, so there is no need of doing BGP or similar to make our webservers accessible to the net on both providers in a redundant way. Basically, this means we have two different IP ranges for each provider, and our firewall tells the clients via DNS to which IP on which provider to connect to.
Our DNS zone setup for a redundant web server looks like this:
firewall1.domain.com. A 188.8.131.52 ;IP Address of firewall in IP range of ISP1 firewall2.domain.com. A 184.108.40.206 ;IP Address of firewall in IP range of ISP2 webserver.domain.com. NS firewall1.domain.com. webserver.domain.com. NS firewall2.domain.com.
The firewall itself has a miniature DNS service running, which returns the A records with a low TTL for the webserver, depending on which ISP is online, or for both ISPs simultaneously. This DNS service responds to queries for A records only, and returns no response in all other cases (I think this is for security reasons). Also, there is no possibility to configure anything else there.
The zone itself is hosted externally, and we have no possibility to enter a CAA record there (option is missing in the web interface).
With dig I get a reply like this, the first is on the external DNS server, the second is the query directed to the firewall:
dig -t TYPE257 webserver.domain.com.@dns1.dnsprovider.com ; <<>> DiG 9.10.4-P2 <<>> -t TYPE257 webserver.domain.com.@dns1.dnsprovider.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24170 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;webserver.domain.com. IN CAA ;; AUTHORITY SECTION: webserver.domain.com. 3600 IN NS firewall1.domain.com. webserver.domain.com. 3600 IN NS firewall2.domain.com. dig -t TYPE257 webserver.domain.com.@firewall1.domain.com ; <<>> DiG 9.10.4-P2 <<>> -t TYPE257 webserver.domain.com.@firewall1.domain.com ;; global options: +cmd ;; connection timed out; no servers could be reached
Now, if I understood everything correctly, our problem is that the firewall does not respond with anything when the validation check follows the NS record for webserver.domain.com and queries the firewall for a CAA record.
Is there any way to get around this?
The firewall manufacturer is a large, well known company which will less likely change their software for one small customer for this exclusive use case.
The external DNS provider will also take his time to implement a new software version on our request so we can add a CAA record for webserver.domain.com in the main DNS zone.
Thank you in advance for your ideas.