PowerDNS: Can't find why CAA servfails


#1

[root@server~]# dig CAA mail.x.nl @ns1.x.nl. +dnssec

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> CAA mail.x.nl @ns1.x.nl. +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18077
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

There is no CAA record.
It looks like a DNSSEC issue.
No way I can get a SERVFAIL from our DNS servers.

I hope someone can help me with this


What DNS checkers should people use?
#2

Suddenly it works again. Hope to hear what could have been wrong


#3

4 posts were split to a new topic: Help diagnosing CAA SERVFAIL


#4

Indeed, the problem is back. Anyone can check for example this domain? domain: pcvaardig.nl


#5

It seems to flap on and off, due to the maintenance?


#6

Can you tell us more about the exact problem you are seeing? Are you trying to renew your certificate and getting a “SERVFAIL looking up CAA” error? On staging, or production, or both? Can you print the full error? When you say it’s flapping, are you seeing flapping results from attemtps to issue with Let’s Encrypt, or from your own dig commands, or both? And what makes you say it looks like a DNSSEC issue?


#10

@pfg do you see any reason why pop.gwvanpelt.nl would fail on CAA servfail?


#11

I’m trying to recreate a certificate using the DirectAdmin Let’s Encrypt script.

I thought it was because of DNSSEC since it worked after I disabled it, but other domains are not working either. After some time I retry the request and it suddenly works. The result is different every time I request a certificate. However, queries to our 3 nameservers for CAA records always return NOERROR back, no matter when or how I call them:

dig -t type257 pop.gwvanpelt.nl @ns1.zxcs.nl
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54252

Error: Challenge is invalid. Details: DNS problem: SERVFAIL looking up CAA for pop.gwvanpelt.nl. Exiting…

Production server

Flapping result from letsencrypt, tried 1000 queries to our servers with grep FAIL.


#12

Another one fails:

for num in {1…3}; do for flag in “” “+noadflag” ; do for type in A AAAA TYPE257 TXT ; do echo -n $flag $type ; dig $flag -t $type pop.gwvanpelt.nl @ns$num.zxcs.nl | grep status: ; done ; done ; done
A;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26211
AAAA;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7510
TYPE257;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47448
TXT;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31003
+noadflag A;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65442
+noadflag AAAA;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40296
+noadflag TYPE257;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37814
+noadflag TXT;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46287
A;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56537
AAAA;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20777
TYPE257;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33604
TXT;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61289
+noadflag A;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2957
+noadflag AAAA;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45791
+noadflag TYPE257;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46673
+noadflag TXT;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51029
A;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37450
AAAA;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63414
TYPE257;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43722
TXT;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39421
+noadflag A;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39889
+noadflag AAAA;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50346
+noadflag TYPE257;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19242
+noadflag TXT;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30422

Challenge is invalid. Details: DNS problem: SERVFAIL looking up CAA for pop.gwvanpelt.nl.


#13

I think your issue is with IPV6 records

do you IPV6 records currently point to your servers?

Andrei


#14

@ahaw021, I think that’s not the problem in this case because I looked at the site in both IPv4 and IPv6 and it seems to have the same content!

@jsha, I did some very preliminary tests here and seemed not to get the SERVFAIL myself (either via IPv4 or IPv6 DNS queries!)—can you get any more information from the logs about whether the CAA record lookup sometimes succeeds and sometimes fails from Let’s Encrypt’s point of view?


#15

That’s interesting. From my home connection, I reproduced the SERVFAIL result right away.

@rickjanssen, are you able to file a ticket with your DNS provider?


#16

@jsha What call did you make exactly? I’m not able to produce a SERVFAIL in any way. I am one of the administrators of the DNS servers.


#17

I ran:

dig -t type257 vrouwejitske.nl @ns1.alt255.nl
dig -t type257 vrouwejitske.nl
dig ns vrouwejitske.nl
dig -t type257 vrouwejitske.nl @ns2.alt255.nl
dig +short -t type257 vrouwejitske.nl @ns2.alt255.nl
dig -t type257 vrouwejitske.nl @ns2.alt255.nl | grep status:
dig -t type257 vrouwejitske.nl @ns3.alt255.nl | grep status:
dig -t type257 vrouwejitske.nl @213.154.246.11 | grep status:
dig -t type257 vrouwejitske.nl @2001:7b8:e10::12 | grep status:

These queries are still returning SERVFAIL for me this morning. Note: just now I ran your for loop:

for num in {1..3}; do for flag in "" "+noadflag" ; do for type in A AAAA TYPE257 TXT ; do echo -n $flag $type ; dig $flag -t $type pop.gwvanpelt.nl @ns$num.zxcs.nl | grep status: ; done ; done ; done

And currently all results are NOERROR for me. It’s possible there’s a time-based component or an issue with some subset of your servers. Do you use anycast for your nameservers? Do you have an Intrusion Prevention System or firewall in place, especially one from Arbor Networks? We’ve gotten some reports that such systems can sometimes misidentify CAA queries and cause problems.


#18

I’ve been poking this the last day or two. Had problems once. Resolver had to retry a few times for about 1.6 seconds before one of the servers responded. So it still worked, but it took about 1.7 seconds total.

2017-07-18 09:10:53.131754 IP6 ::1.50879 > ::1.53: 2388+ [1au] Type257? pop.gwvanpelt.nl. (45)
2017-07-18 09:10:53.210235 IP 45.33.103.94.64895 > 178.62.208.8.53: 28418% [1au] Type257? pop.gwvanpelt.nl. (45)
2017-07-18 09:10:53.587653 IP 45.33.103.94.32114 > 178.62.208.8.53: 24575% [1au] Type257? pop.gwvanpelt.nl. (45)
2017-07-18 09:10:53.964316 IP6 2600:3c02::13:5202.12161 > 2a03:b0c0:2:d0::57:1001.53: 25084% [1au] Type257? pop.gwvanpelt.nl. (45)
2017-07-18 09:10:54.340899 IP6 2600:3c02::13:5202.4171 > 2a03:b0c0:2:d0::57:1001.53: 48752% [1au] Type257? pop.gwvanpelt.nl. (45)
2017-07-18 09:10:54.717773 IP6 2600:3c02::13:5202.48881 > 2a06:2ec0:1::10.53: 5547% [1au] Type257? pop.gwvanpelt.nl. (45)
2017-07-18 09:10:54.823751 IP6 2a06:2ec0:1::10.53 > 2600:3c02::13:5202.48881: 5547*- 0/4/1 (356)
2017-07-18 09:10:54.824715 IP6 ::1.53 > ::1.50879: 2388$ 0/4/1 (356)

Every other thing i tried seemed fine.

Edit: But it could have been random Internet congestion on my end, of course.


#19

A post was split to a new topic: Help diagnosing CAA failures ns1.cyso.nl


#20

@jsha that domain “vrouwejitske.nl” is not on our DNS server, you are confusing me with jror :slight_smile: . The domain in the loop you ran is our domain. So until now, only letsencrypt returns SERVFAILS randomly and no one else can reproduce. This is starting to get a bigger issue day by day… Some renewals are having these issues too. Can you please check why the letsencrypt server sees SERVFAILS?


#21

Hi @rickjanssen,

One interesting result: Trying the dig queries you suggested directly against the alt255.nl nameservers seemed to work, but when I query for CAA against an Unbound test instance that I have configured similarly to production, I do seem to get repeatable SERVFAILs. Here’s an example query, and the verbose level Unbound logs. There are a bunch of ‘THROWAWAY’ responses, which from a quick Google looks like an Unbound internal error code used on receiving SERVFAIL.

$ dig caa  vrouwejitske.nl  @127.0.0.1 -p 1053
; <<>> DiG 9.10.3-P4-Ubuntu <<>> caa vrouwejitske.nl @127.0.0.1 -p 1053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38954
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;vrouwejitske.nl.               IN      CAA

;; Query time: 3804 msec
;; SERVER: 127.0.0.1#1053(127.0.0.1)
;; WHEN: Wed Jul 19 08:45:11 EDT 2017
;; MSG SIZE  rcvd: 44

Jul 19 08:45:07 unbound[25771:1] info: 127.0.0.1 vrouwejitske.nl. CAA IN
Jul 19 08:45:07 unbound[25771:1] info: resolving vrouwejitske.nl. CAA IN
Jul 19 08:45:07 unbound[25771:1] info: priming . IN NS
Jul 19 08:45:08 unbound[25771:1] info: response for . NS IN
Jul 19 08:45:08 unbound[25771:1] info: reply from <.> 198.97.190.53#53
Jul 19 08:45:08 unbound[25771:1] info: query response was ANSWER
Jul 19 08:45:08 unbound[25771:1] info: priming successful for . NS IN
Jul 19 08:45:08 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:08 unbound[25771:1] info: reply from <.> 202.12.27.33#53
Jul 19 08:45:08 unbound[25771:1] info: query response was REFERRAL
Jul 19 08:45:08 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:08 unbound[25771:1] info: reply from <nl.> 193.176.144.5#53
Jul 19 08:45:08 unbound[25771:1] info: query response was REFERRAL
Jul 19 08:45:08 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:08 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.160.213#53
Jul 19 08:45:08 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:08 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:08 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.175.205#53
Jul 19 08:45:08 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:08 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:08 unbound[25771:1] info: reply from <vrouwejitske.nl.> 213.154.246.11#53
Jul 19 08:45:08 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:09 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:09 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.175.205#53
Jul 19 08:45:09 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:09 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:09 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.175.205#53
Jul 19 08:45:09 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:09 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:09 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.160.213#53
Jul 19 08:45:09 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:09 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:09 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.160.213#53
Jul 19 08:45:09 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:09 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:09 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.175.205#53
Jul 19 08:45:09 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:09 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:09 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.160.213#53
Jul 19 08:45:09 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:10 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.160.213#53
Jul 19 08:45:10 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:10 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <vrouwejitske.nl.> 213.154.246.11#53
Jul 19 08:45:10 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:10 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <vrouwejitske.nl.> 109.106.175.205#53
Jul 19 08:45:10 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:10 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <vrouwejitske.nl.> 213.154.246.11#53
Jul 19 08:45:10 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:10 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <vrouwejitske.nl.> 213.154.246.11#53
Jul 19 08:45:10 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:10 unbound[25771:1] info: response for vrouwejitske.nl. CAA IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <vrouwejitske.nl.> 213.154.246.11#53
Jul 19 08:45:10 unbound[25771:1] info: query response was THROWAWAY
Jul 19 08:45:10 unbound[25771:1] info: resolving ns1.alt255.nl. A IN
Jul 19 08:45:10 unbound[25771:1] info: response for ns1.alt255.nl. A IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <.> 192.203.230.10#53
Jul 19 08:45:10 unbound[25771:1] info: query response was REFERRAL
Jul 19 08:45:10 unbound[25771:1] info: response for ns1.alt255.nl. A IN
Jul 19 08:45:10 unbound[25771:1] info: reply from <nl.> 192.93.0.4#53
Jul 19 08:45:10 unbound[25771:1] info: query response was REFERRAL
Jul 19 08:45:11 unbound[25771:1] info: response for ns1.alt255.nl. A IN
Jul 19 08:45:11 unbound[25771:1] info: reply from <alt255.nl.> 109.106.160.213#53
Jul 19 08:45:11 unbound[25771:1] info: query response was ANSWER
Jul 19 08:45:11 unbound[25771:1] info: resolving ns2.alt255.nl. A IN
Jul 19 08:45:11 unbound[25771:1] info: response for ns2.alt255.nl. A IN
Jul 19 08:45:11 unbound[25771:1] info: reply from <nl.> 192.93.0.4#53
Jul 19 08:45:11 unbound[25771:1] info: query response was REFERRAL
Jul 19 08:45:11 unbound[25771:1] info: response for ns2.alt255.nl. A IN
Jul 19 08:45:11 unbound[25771:1] info: reply from <alt255.nl.> 109.106.175.205#53
Jul 19 08:45:11 unbound[25771:1] info: query response was ANSWER
Jul 19 08:45:11 unbound[25771:1] info: resolving ns3.alt255.nl. A IN
Jul 19 08:45:11 unbound[25771:1] info: response for ns3.alt255.nl. A IN
Jul 19 08:45:11 unbound[25771:1] info: reply from <nl.> 192.93.0.4#53
Jul 19 08:45:11 unbound[25771:1] info: query response was REFERRAL
Jul 19 08:45:11 unbound[25771:1] info: response for ns3.alt255.nl. A IN
Jul 19 08:45:11 unbound[25771:1] info: reply from <alt255.nl.> 109.106.175.205#53
Jul 19 08:45:11 unbound[25771:1] info: query response was ANSWER
Jul 19 08:45:11 unbound[25771:1] info: 127.0.0.1 vrouwejitske.nl. CAA IN SERVFAIL 3.802822 0 44

#22

Hi @jsha

Please note that this whole thread is not about vrouwejitske.nl, please forget that domain, i’ve never said anything about that domain…

Use pop.gwvanpelt.nl please.

Kind regards,
Rick


#23

Whoops, sorry for the confusion. Often members here will chime in with example queries trying to help the original posters, and I got confused. Here is verbose Unbound output for your domain:

Jul 19 08:55:12 unbound[24997:0] info: 127.0.0.1 pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:12 unbound[24997:0] info: resolving pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:12 unbound[24997:0] info: priming . IN NS
Jul 19 08:55:12 unbound[24997:0] info: response for . NS IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <.> 192.33.4.12#53
Jul 19 08:55:12 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:12 unbound[24997:0] info: priming successful for . NS IN
Jul 19 08:55:12 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <.> 198.97.190.53#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <nl.> 213.154.241.85#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: resolving ns2.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: resolving ns3.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: resolving ns1.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: response for ns1.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <nl.> 192.5.4.1#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: resolving donna.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: resolving lloyd.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: response for donna.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <.> 192.203.230.10#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: response for donna.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <com.> 192.33.14.30#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: response for donna.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <cloudflare.com.> 162.159.7.226#53
Jul 19 08:55:12 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:12 unbound[24997:0] info: response for lloyd.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <.> 192.33.4.12#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: response for ns1.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <zxcs.nl.> 173.245.58.151#53
Jul 19 08:55:12 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:12 unbound[24997:0] info: response for lloyd.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <com.> 192.12.94.30#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: response for lloyd.ns.cloudflare.com. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <cloudflare.com.> 162.159.5.6#53
Jul 19 08:55:12 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:12 unbound[24997:0] info: response for ns3.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <nl.> 192.93.0.4#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: response for ns2.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <nl.> 192.93.0.4#53
Jul 19 08:55:12 unbound[24997:0] info: query response was REFERRAL
Jul 19 08:55:12 unbound[24997:0] info: response for ns3.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <zxcs.nl.> 173.245.59.197#53
Jul 19 08:55:12 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:12 unbound[24997:0] info: response for ns2.zxcs.nl. A IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <zxcs.nl.> 173.245.58.151#53
Jul 19 08:55:12 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:12 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <gwvanpelt.nl.> 185.104.28.19#53
Jul 19 08:55:12 unbound[24997:0] info: query response was nodata ANSWER
Jul 19 08:55:12 unbound[24997:0] info: prime trust anchor
Jul 19 08:55:12 unbound[24997:0] info: resolving . DNSKEY IN
Jul 19 08:55:12 unbound[24997:0] info: response for . DNSKEY IN
Jul 19 08:55:12 unbound[24997:0] info: reply from <.> 202.12.27.33#53
Jul 19 08:55:12 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:12 unbound[24997:0] info: validate keys with anchor(DS): sec_status_secure
Jul 19 08:55:12 unbound[24997:0] info: Successfully primed trust anchor . DNSKEY IN
Jul 19 08:55:12 unbound[24997:0] info: validated DS nl. DS IN
Jul 19 08:55:12 unbound[24997:0] info: resolving nl. DNSKEY IN
Jul 19 08:55:13 unbound[24997:0] info: response for nl. DNSKEY IN
Jul 19 08:55:13 unbound[24997:0] info: reply from <nl.> 192.93.0.4#53
Jul 19 08:55:13 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:13 unbound[24997:0] info: validated DNSKEY nl. DNSKEY IN
Jul 19 08:55:13 unbound[24997:0] info: validated DS gwvanpelt.nl. DS IN
Jul 19 08:55:13 unbound[24997:0] info: resolving gwvanpelt.nl. DNSKEY IN
Jul 19 08:55:13 unbound[24997:0] info: response for gwvanpelt.nl. DNSKEY IN
Jul 19 08:55:13 unbound[24997:0] info: reply from <gwvanpelt.nl.> 46.101.179.64#53
Jul 19 08:55:13 unbound[24997:0] info: query response was ANSWER
Jul 19 08:55:13 unbound[24997:0] info: validated DNSKEY gwvanpelt.nl. DNSKEY IN
Jul 19 08:55:13 unbound[24997:0] info: validate(nodata): sec_status_bogus
Jul 19 08:55:13 unbound[24997:0] info: resolving pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: reply from <gwvanpelt.nl.> 178.62.208.8#53
Jul 19 08:55:13 unbound[24997:0] info: query response was nodata ANSWER
Jul 19 08:55:13 unbound[24997:0] info: validate(nodata): sec_status_bogus
Jul 19 08:55:13 unbound[24997:0] info: resolving pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: reply from <gwvanpelt.nl.> 46.101.179.64#53
Jul 19 08:55:13 unbound[24997:0] info: query response was nodata ANSWER
Jul 19 08:55:13 unbound[24997:0] info: validate(nodata): sec_status_bogus
Jul 19 08:55:13 unbound[24997:0] info: resolving pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: reply from <gwvanpelt.nl.> 46.101.179.64#53
Jul 19 08:55:13 unbound[24997:0] info: query response was nodata ANSWER
Jul 19 08:55:13 unbound[24997:0] info: validate(nodata): sec_status_bogus
Jul 19 08:55:13 unbound[24997:0] info: resolving pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:13 unbound[24997:0] info: reply from <gwvanpelt.nl.> 46.101.179.64#53
Jul 19 08:55:13 unbound[24997:0] info: query response was nodata ANSWER
Jul 19 08:55:13 unbound[24997:0] info: validate(nodata): sec_status_bogus
Jul 19 08:55:13 unbound[24997:0] info: resolving pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:14 unbound[24997:0] info: response for pop.gwvanpelt.nl. CAA IN
Jul 19 08:55:14 unbound[24997:0] info: reply from <gwvanpelt.nl.> 185.104.28.19#53
Jul 19 08:55:14 unbound[24997:0] info: query response was nodata ANSWER
Jul 19 08:55:14 unbound[24997:0] info: validate(nodata): sec_status_bogus
Jul 19 08:55:14 unbound[24997:0] info: 127.0.0.1 pop.gwvanpelt.nl. CAA IN SERVFAIL 1.833978 0 45

And here is a tcpdump of the queries and responses, encoded as base64 because Discourse won’t allow upload of unrecognized files:

query.log.base64.txt (19.5 KB)