[root@server~]# dig CAA mail.x.nl @ns1.x.nl. +dnssec ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> CAA mail.x.nl @ns1.x.nl. +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18077 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, …

[image] rickjanssen: @cpu is there anything I can do? With my unbound setup, the requests do not fail, they give NOERROR I can't offer any advice at present. I can share a sanitized copy of the config from the server I'm testing against if you want to try and see if you can get your Unbound t…

[image] cpu: I can't offer any advice at present. I can share a sanitized copy of the config from the server I'm testing against if you want to try and see if you can get your Unbound to match. EDIT: here it is - note that I removed some access-control lines and I wouldn't recommend running thi…

[image] rickjanssen: Which version are you running? 1.5.8-1ubuntu1 from apt on Ubuntu 16.04

[image] cpu: I'm going to try increasing the verbosity level from 3 to 4 to get algorithm data. Looking at validator/val_nsec3.c's nsec3_prove_nodata function I believe this will give us more information. I tried this and the snipped results do give more information that I can match up to the…

I really can’t figure out what is causing this to happen. I reproduced the SERVFAIL now. Hope to figure out what the problem is soon. Is it possible for you to “whitelist” (skip CAA check) us until we figure this out? Lots of customers and lots domains are failing to create and renew right now… Edi…

@rickjanssen I’m still curious about whether your nameservers are anycast. If so, that could potentially explain random differences, if queries are routed to different servers. Also, sounds like you’re running PowerDNS. What version? I assume you’re running the same version on all nameservers? Also…

[image] cpu: I shared an Unbound configuration above that can be used to try and replicate locally. @rickjanssen seems to have success with that. It's not the exact configuration we run in production but seems sufficient for replicating the issue in so much as I understand it presently. Can you …

One thing that stands out to me is that in the snippet that @cpu posted your nameserver returned an unexpected NSEC record which doesn’t prove the NODATA response (mail.gwvanpelt.nl. 86400 IN NSEC pop.gwvanpelt.nl. A AAAA RRSIG NSEC which would authenticate a mail.gwvanpelt.nl. NODATA response but n…

This any help? http://dnsviz.net/d/pop.gwvanpelt.nl/dnssec/?rr=257&a=all&ds=all&doe=on&ta=.&tk=

PowerDNS: Can't find why CAA servfails

Help

rickjanssen July 19, 2017, 2:18pm 32

@cpu is there anything I can do? With my unbound setup, the requests do not fail, they give NOERROR

Topic		Replies	Views
SERVFAIL looking up CAA, but I see NOERROR myself Help	24	7417	August 8, 2017
Help diagnosing CAA failures `ns1.cyso.nl` Help	13	3695	July 24, 2017
DNS problem: SERVFAIL looking up CAA Help	15	4369	April 8, 2021
CAA requests resulting in SERVFAIL since Dec 12th Help	21	1337	December 20, 2023
False CAA failure when issuing certs Issuance Tech	34	4302	July 10, 2018

PowerDNS: Can't find why CAA servfails

Related topics