Occasional SERVFAIL looking up CAA for be

twouters · December 19, 2018, 3:48pm

Hi,

As of 15/11 we’re getting occasional SERVFAIL errors from Let’s Encrypt while initiating http-01 domain validations for CAA requests to the .be zone.

DNS Belgium coincidentally happens to have started a KSK rollover on 15/11 which could be related.

All I’ve got as a trace are timestamps of when we’ve received the errors from Let’s Encrypt.
It’s been a few days since the last occurence and it’s not really a blocking issue since it works when we retry the validation, but I’ve got the feeling that there’s some structural issue that needs fixing.

I’ve also contacted dnsbelgium about the issue, but I’m afraid that I don’t have enough details for them to get to the bottom of this.

[2018-11-15 22:50:06] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-11-16 01:06:17] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-11-19 21:28:16] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-11-22 15:34:22] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-11-23 02:59:24] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-11-23 07:04:53] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-11-28 16:44:31] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-11-30 02:28:04] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-11-30 05:33:39] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-12-04 10:25:15] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-12-05 01:57:40] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-12-05 09:31:27] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-12-05 19:04:46] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-12-08 09:04:25] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-12-11 03:15:38] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-12-11 03:15:40] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-12-12 20:31:34] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-12-14 08:36:23] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be
[2018-12-14 22:00:24] urn:acme:error:dns: DNS problem: SERVFAIL looking up CAA for be

webprofusion · January 5, 2019, 3:24am

I have a user who’s also seeing this for gratisdns.dk - they get randomly far through validation then start to get SERVFAIL. Using dig against all of the domains nameservers see to work for the CAA query. Made me wonder if this is some sort of DDoS protection that’s getting annoyed at the CAA queries from Let’s Encrypt.

mnordhoff · January 5, 2019, 3:59am

gratisdns.dk actually malfunctions:

_az · January 5, 2019, 4:08am

I’m not sure whether it’s the same issue. Is the domain you are issuing the certificate for actually gratisdns.dk, or is it just an involved nameserver?

webprofusion · January 5, 2019, 6:55am

Just serviced by that DNS provider. I’ve left it to the user to get further support specific to their provider but wondered if it was a common scenario. This user is validating just under 100 domains/subdomains for a single cert.

system · February 4, 2019, 6:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.