LE is failing CAA on TLD

Domain is: test.kp.ecospas.ru

Using a custom ACME client.

Getting: 403 urn:acme:error:caa: Error creating new cert :: Rechecking CAA: While processing CAA for test.kp.ecospas.ru: DNS problem: SERVFAIL looking up CAA for ru

The last portion, SERVFAIL looking up CAA for ru, suggests to me LE is doing a CAA lookup on TLD .ru.

Supposing LE is intending to lookup CAA for TLDs for some reason, I did some digging.

Digging an authoritative server works:

dig CAA rU @e.dns.ripn.net
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18170

Digging Google Public DNS fails:

dig CAA rU @8.8.8.8
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26706

1 Like

Confirm. The same problem

2017/11/02 23:14:07 [ERROR] Domain verification results for ‘stelplast.ru’: error. DNS problem: SERVFAIL looking up CAA for ru

It’s not exactly specifically about CAA. ru.'s DNSSEC is generally partly on fire.

Nov 2 21:04:31 jane unbound: [4166:0] info: verify: signature bad, current time is before inception date expi=20171216094738 incep=20171102211923 now=20171102210431

http://dnsviz.net/d/ru/Wft6Bw/dnssec/

Some of their DNSSEC signatures are in the future.

At least some of them will start working at 21:19:23 UTC – ten minutes from now – if they don’t make any changes.

Try again then?

Edit:

For posterity:

$ dig +cd +dnssec ru caa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +cd +dnssec ru caa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49404
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ru.                                IN      CAA

;; AUTHORITY SECTION:
ru.                 59      IN      SOA     a.dns.ripn.net. hostmaster.ripn.net. 4031517 86400 14400 2592000 3600
ru.                 59      IN      RRSIG   SOA 8 1 345600 20171216094738 20171102211923 16149 ru. ETgfEv0zlg0twulAy+qXfTK8n8AmPmKmFYCW3rv3ient0NBeD+POYjJ5 kx+WqyzeRA4Pab+c91G05OwiMkSd20Z5DbzKwy4wu4RiQZ08BpKk77ZE h5lGWo0YQH9qbIJh0G4LYo+uozqyX+33iqXOZc68tp9WGDa8e0ZH5fPK n2E=
TDUI9D4JKUDS8B9T86GJ39PGFLCNLGM5.ru. 3233 IN NSEC3 1 1 3 00FF TE4SDFFC4MIKNSM2U6V2G0D1A2TH6S0G NS SOA RRSIG DNSKEY NSEC3PARAM
TDUI9D4JKUDS8B9T86GJ39PGFLCNLGM5.ru. 3233 IN RRSIG NSEC3 8 2 3600 20171204171626 20171031043025 16149 ru. pas7th7CcpR6zm/TGeZ1sqmhpfUpF73ROLOlZmHYKVrFpgLthabjCo2f yjFOoVP2OWu3XjMiesiGEoYIO+uP15t20fLSDTT9uOfZton/1wyFHrHe OAVxqcehMRipsf1PshxsoFr6YU7ED304ha5aSkewEJN25AH7yR5SqRKg C2M=

;; Query time: 797 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Nov 02 21:10:38 UTC 2017
;; MSG SIZE  rcvd: 498
3 Likes

The problem is still persist.
Today I have tried to renew certificates for two domains (mail.mtrele.ru and mail.bakhur.ru) and have received the error “SERVFAIL looking up CAA for ru”.
dig caa ru @77.88.8.88 answered correctly (Yandex DNS)
dig caa ru @8.8.8.8 returned the error (Google DNS)

TLD .ru is having issues with DNSSEC again: http://dnsviz.net/d/ru/WfugSg/dnssec/

2 Likes

Thanks for reporting. I’m afraid there’s not much we can do until they fix their DNSSEC, hopefully soon!

Thanks @jsha. Any thoughts on whether or not Boulder should be doing CAA lookups on TLDs?

I’m afraid that RFC6844 is quite clear that it is required:

https://tools.ietf.org/html/rfc6844#section-4

The search for a CAA record climbs the DNS name tree from the
specified label up to but not including the DNS root ‘.’.

1 Like

It is not solution. How many certificates were issued for domains in .RU?

@iHeadRu The reason why I chose to mark it as a solution is because it shows how Let’s Encrypt’s hands are tied by specification. There’s literally nothing they can do to fix it themselves. We have to wait for the people operating DNSSEC for .ru to deploy a fix.

2 Likes

That makes sense; I wound up removing the “solution” marker because I think a number of people would have misinterpreted it. Let’s re-mark it as solved once the upstream DNSSEC issues are resolved. Thanks!

Can we mark it OOOC?
“Out-Of-Our-Control”

1 Like

According to DNSViz .ru's DNSSEC appears to have been fixed for about 22 hours now.

Please try obtaining your certificate again.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.