Problem with Certificate Renewal - CAA Query Windows Server 2012

Hello all,

Im having problem with CAA queries on my external DNS server. I am getting ‘SERVFAIL’ as response, but it should give me ‘NOERROR’ as reply.I dont have any CAA records on my zone, so the server should answer the query with a NOERROR result; this way, the CA would understand and generate the certificate.

Server info:
SO: Windows Server 2012 Datacenter
Role: External DNS
Windows Firewall: OFF

I am using a web based dig tool and Im gettin the following results when run a CAA query:
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> CAA +additional zaffari.com.br. @8.8.4.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10867
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;zaffari.com.br. IN CAA

;; Query time: 3 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Fri Oct 6 17:16:51 2017
;; MSG SIZE rcvd: 32

The answer it should gave me is something like this:

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> CAA +additional capgemini.com.br. @8.8.4.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37136
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;capgemini.com.br. IN CAA

;; AUTHORITY SECTION:
capgemini.com.br. 1791 IN SOA ns1.capgemini.com.br. hostmaster.capgemini.com. 2012050722 900 600 86400 3600

;; Query time: 12 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Fri Oct 6 17:16:46 2017
;; MSG SIZE rcvd: 98

Other queries, like A, ANY or SOA, works perffectly.

I asked for a verification on firewall but the owners said me that there’s no problem with ‘query blocking’ on their side…
Does anybody have an idea of what to do next?

Thanks all !

have a look at these resources:
http://dnsviz.net/
https://dnssec-debugger.verisignlabs.com/

And I’m not sure how the question directly relates to this forum.
Are you having trouble issuing LE certs?
If so, please include that aspect and as much detail as possible.

hi @redd

Any reason why a google would not have provided the answer you were looking for?

https://social.msdn.microsoft.com/Forums/en-US/926e41be-2971-419c-af5a-482db163d53a/dns-caa-records?forum=WAVirtualMachinesVirtualNetwork

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.