"ocsp.int-x3.letsencrypt.org could not be resolved" error: NXDOMAIN issue with

Hi, Terry,

I think the DNSViz issues you found are unrelated to your resolution timeouts.

The error with the CNAME on ocsp.int-x3.letsencrypt.org.edgesuite.net is a consequence of Akamai’s authoritative DNS implementation. This breaks that hostname’s resolution for resolvers that use strict QNAME minimisation (RFC 7816), but that’d be a persistent problem, not sporadic. We first identified this last year and have been following up with Akamai to get it fixed.

The error fetching DNSKEY over UDP from the .org root servers is something I see often on DNSViz - for many domains - and I’ve never been able to replicate it. The same goes for the UDP payload size warning. I think it’s a quirk of their testing servers’ connectivity.

The other warnings are best practices issues but shouldn’t affect resolution at all.

Unfortunately, in order to figure out what’s going on, I think we’ll need some deeper troubleshooting of your DNS resolver(s) at the moment when a timeout happens. What resolvers are you using?

1 Like