I noticed in past threads (circa late 2015) that LetsEncrypt had issues with the NetRegistry name servers and timeouts. Our domains are with NetRegistry, and we’re getting “DNS problem: SERVFAIL looking up A for www.example.com” error messages. Doing a quick DNS Analysis from 24x7.com shows a consistent response time of 330ms from the NetRegistry name servers, while another domain (which is on the same physical hardware at our site but with a different DNS provider) is getting certs AOK and has a DNS Analysis response time of sub-50ms - so it must be the NetRegistry name servers.
So has the issue from late-2015 been resolved? Is there a work-around (apart from not using NetRegistry)? Is there an argument I can add to the certbot command to ensure the LetsEncrypt server doesn’t timeout too soon?
For convenience, I’m reposting in this thread below…
For domains hosted by ezyreg.com, another Netregistry reseller.
The same CAA via UDP timeout issue remains there.
Here’s the example…
This CAA check via UDP fails with timeout
dig CAA drumdigital.com.au. @ns-1.ezyreg.com. +notcp
; <<>> DiG 9.10.2 <<>> CAA drumdigital.com.au. @ns-1.ezyreg.com. +notcp
;; global options: +cmd
;; connection timed out; no servers could be reached
This CAA check via TCP works
dig CAA drumdigital.com.au. @ns-1.ezyreg.com. +tcp
; <<>> DiG 9.10.2 <<>> CAA drumdigital.com.au. @ns-1.ezyreg.com. +tcp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33240
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
I haven’t needed to renew again since I had the problem with renewal a month or two ago. The problem at the time was related to a failing CAA record lookup. The somewhat cryptic response from NetRegistry when they eventually replied to my support request was:
“We do apologize but we don’t cater CAA record and it shows that you also don’t have any hosting with us.”
It is true that they don’t host my websites, but isn’t that is irrelevant? They are the registrar for all of my domains. I didn’t bother following up as by the time they replied the LetsEncrypt renewal had mysteriously started to work again. Bit of a mystery why it did start working if, as they say, they “don’t cater CAA”.
If I have problems when I’m due to renew again I plan to move all my domains to iinet.
We've gotten a similar response from a small handful of other DNS operators who have CAA problems, but it's inaccurate. Let's Encrypt (and soon other CA's) only require a NOERROR response for CAA, which is what all nameservers should reply with when they are queried for a resource record type they don't recognize. In other words, no special support for CAA is needed - nameservers just need to not fail (SERVFAIL or timeout) when queried for CAA records.
To their credit, NetRegistry's nameservers themselves correctly return NOERROR, most of the time. However, it appears there is some firewall or filtering software, either on their network or somewhere between Let's Encrypt and NetRegistry, that drops DNS packets it doesn't recognize.
A couple months ago, the problem got abruptly worse for a few days, as NetRegistry experienced a major outage. For some reason, it seemed that the outage affected CAA timeouts more severely than timeouts of other types.
I've tried a few times to reach a technical contact at NetRegistry to work on the problem with them, and have failed. If anyone here knows someone they can put me in touch with, please let me know.
I’m getting this problem with ezyreg at the moment and it’s been persistent for at least a week. The certificate only has 19 days to go.
I myself register a lot of domains directly with NetRegistry and none of these have had this problem. We have about 50 domains using letsencrypt none of which are having problems except for this one.
Is there any workaround for now?
I will raise a ticket with NetRegistry on this issue via my account with them, but because the domain name belongs to a customer and is via ezyreg there might not be much response. If I do get any answer I’ll reflect it here.
@nikdow - for what its worth NetRegistry have said they’ll do something (they haven’t yet) to help me out, so if it helps at all feel free to mention my support call number to them: 01159854
The delinquent domain on our server has now renewed via our overnight cron job. At least, I assume that is the case because a manual attempt today produces a response that the certificate has more than 30 days before expiring. I’ve closed my ticket at NetRegistry but asked them whether they fixed the problem or not.
Mate, I’ve actually got someone from NetRegistry who would like to talk to you guys re getting their DNS issues sorted out. If you could email me (matthew@peregrineit.net) your contact details I’ll forward them on (to Rory from NetRegistry) and hopefully, hopefully we can get this sorted - not just for me but for all of NetRegistry’s customers.