Ongoing(?) DNSSEC/CAA/Network Solutions issues blocking http-01 renewals?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mhanj.org

I ran this command: certbot renew --cert-name www.mhanj.org ...

It produced this output:

1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.mhanj.org
   Type:   dns
   Detail: DNS problem: looking up CAA for www.mhanj.org: DNSSEC:
   Bogus

My web server is (include version): httpd-2.4.6-97.el7

The operating system my web server runs on is (include version): CentOS Linux release 7.8.2003

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.7.0

I've found multiple posts on the same topic (eg. Error when trying to create ssl cert). DNSSet was recently enabled on the domain (noted above) with DNS hosted at Network Solutions. Since then, we've been unable to renew the certificate.

I've tried adding a CAA record:

$ dig caa mhanj.org. @ns46.worldnic.com. +short
0 issue "letsencrypt.org"
$ 

but this doesn't seem to have helped. The GUI (control panel?) for Network Solution DNS does not appear to permit one to enter a CAA for any name in a domain other than @. Note that www.mhanj.org is its own A record rather than a CNAME to @, in case that is significant.

Is the only solution to disable DNSSEC? Might switching from http-01 to DNS authorization (using acme.sh) work better, or would this have the same issue? Is there a better solution?

Thanks.

Same issue will occur.

That, or show your DNS host this and ask them to fix it:

NSEC proving non-existence of www.mhanj.org/CAA: The following queries resulted in an answer response, even though the NSEC records indicate that the queried names don't exist: www.mhanj.org/A

You can also try set up your DNSSEC from scratch to see if that makes a difference.

Same issue will occur.

I suspected that this would be the case.

As for "show your DNS host", this is why I mentioned that the DNS hosting is by Network Solutions. Do they fix such things? I just interacted with someone from support there via their online chat on a trivial issue, and they're not providing the most enlightened interactions.

As far as setting up DNS goes, I wasn't the person who enabled this but it seems to be just a toggle on one of their web pages. Is changing this (turning DNSSEC off and on laugh) likely to make a difference?

Thanks.

It's a bit more than that. Disabling DNSSEC will involve disabling it at both your registrar and your DNS host, which will result in your DS and DNSKEY records being deleted.

When you re-enable DNSSEC, brand new keys and records will be generated, which may result in the bogus NSEC record being corrected.

Their server is not producing correct responses, it's their responsibility. You can also move for free to another DNS host like Cloudflare.

Netsol is notorious for this kind of issue. This is exactly why I moved ALL (but one) domain away from Network Solutions. or "Network (lack of) Solutions, if you prefer.

That's definitely something we've seen here before, where people can't seem to get their tech support to understand that their DNS server is just broken and gives out Bogus DNSSEC responses.

I know it's helped with some cases in the past with broken DNSSEC, though I don't recall offhand if it's done so with Network Solutions specifically.

I personally would prefer to pay for DNS service, just under the theory that then you're the customer and not the product, and maybe some of that money would go to actually having support & engineering that have the knowledge and ability to fix problems. (Having DNS service be included as a package as part of other things, like being the registrar, or the web hosting, would be fine too, I'm not saying that one would prefer to pay specifically just for DNS, just that I'd be wary of a free-DNS-only system.)

Given the history of Network Solutions, going way back on the Internet, you would think that they might have some clue of how to run a DNS server, now wouldn't you. I would agree that there are plenty of better DNS hosting solutions available nowadays.

You can indeed give Cloudflare money if you want to, I pay them several hundred dollars a year and in return they handle several million requests per month [my modest sites are about 20M requests p/m, with many of those being handled by cloudflare workers]. Yes they offer free DNS services to get you hooked, but they're pretty good at running them and they have a lot of features other DNS providers just don't have.

Their history is actually pretty horrible. Their monopoly status meant they didn't have to be good at what they did. Once the market opened up, that became quite apparent.

Despite offering free DNS, Cloudflare provide some of the best DNS. I still keep a paid account elsewhere for certain domains with specific requirements, but Cloudflare is hard to beat in most circumstances.

Well, Network Solutions is both the registrar and DNS host in this case.

Is there some reason why their web page doesn't permit adding CAA records for names other than @? Nothing I've read yet informs me that CAA records are limited in this way.

It occurs to me that adding such a record might be a workaround given that the problem appears to be a disagreement about the lack of such a record, but adding this doesn't see to be something that can be done via the GUI.

Thanks.

Only incompetence.

And in fact, the recurring problem seems to be that CAs are required to check the CAA of the full domain name first, and only if there are no records (and no error) will it check the parent name. But when checking CAA of a subdomain (such as www.), their DNS server gives an erroneous response rather than a correctly-signed no-records response. Adding a CAA record for the full name might be a workaround for their buggy DNS server not handling the request correctly, but really they should be able to handle sending a response for empty results as well.

Like we're saying, they just can't seem to be able to run a DNS server correctly.

Seriously, I believe it is all about money. Without a CAA record, they are "still in the game" for certificate sales. However, with a valid CAA record they can (and probably would) be precluded from issuing certs to many domains at all. I have chatted and emailed netsol support and never heard a satisfactory response on this issue. I do get lots of marketing mails from them trying to sell me "SUPERIOR" TLS certificates. In the case of Network Solutions, I just don't use a CAA record, unfortunately.

But even their own CA couldn't issue a certificate if non-existent CAA records give SERVFAIL due to Bogus DNSSEC!

Netsol's weakest link, besides customer satisfaction, is their DNS policies in general.
I'll stop short of a "rant" ;o)

But even their own CA couldn't issue a certificate if non-existent CAA records give SERVFAIL due to Bogus DNSSEC!

Which begs the question: How does their CA work with domains using their DNS? Does their software not check for a CAA record?

Meanwhile, I disabled DNSSEC and was able to have the certificate renewed. I'm going to reenable DNSSEC to see whether the errors reported by dnsviz persist.

I assume their CA only works with domains using their DNS that have DNSSEC off, or that aren't including the www. name on the certificate. (Or perhaps, that have had the DNSSEC off-and-then-back-on trick work to fix the DNS responses.)

If you have evidence of their CA issuing for a name where the authoritative DNS server gives a bogus DNSSEC response, then I'm sure the various root programs would love to know about it. But I tend to suspect it's more likely that DNSSEC is just turned off because people don't understand it, kind of like IPv6.

DNSSEC isn't generally required for CAs by the baseline requirements (except in one case, around handling CAA lookup failures), so it's possible other CAs don't have DNSSEC enabled in their clients.

But we're specifically talking about CAA lookup failures. If I want to issue for www.example.com, with a valid or empty CAA record at example.com but looking up CAA for www.example.com gives a bogus DNSSEC response, aren't all CAs required to not issue?

Lookup failure here means the DNS server doesn't reply, or replies with a SERVFAIL. If you're not checking DNSSEC, you wouldn't notice it being broken, I think (I'm no dns expert....)

BRs v2.0.0, section 3.2.2.8:

CAs are permitted to treat a record lookup failure as permission to issue if ... the domain’s zone does not have a DNSSEC validation chain to the ICANN root.

By my read, this is a requirement to determine if there's a valid DNSSEC chain or not, which would implicitly require using a validating resolver. I suppose you could argue that a CA would only need to use a validating resolver if their first CAA lookup resulted in a SERVFAIL?

So far, they do.