Hello all,
Im having problem with CAA queries on my external DNS server. I am getting ‘SERVFAIL’ as response, but it should give me ‘NOERROR’ as reply.I dont have any CAA records on my zone, so the server should answer the query with a NOERROR result; this way, the CA would understand and generate the certificate.
Server info:
SO: Windows Server 2012 Datacenter
Role: External DNS
Windows Firewall: OFF
I am using a web based dig tool and Im gettin the following results when run a CAA query:
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> CAA +additional zaffari.com.br. @8.8.4.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10867
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;zaffari.com.br. IN CAA
;; Query time: 3 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Fri Oct 6 17:16:51 2017
;; MSG SIZE rcvd: 32
The answer it should gave me is something like this:
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> CAA +additional capgemini.com.br. @8.8.4.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37136
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;capgemini.com.br. IN CAA
;; AUTHORITY SECTION:
capgemini.com.br. 1791 IN SOA ns1.capgemini.com.br. hostmaster.capgemini.com. 2012050722 900 600 86400 3600
;; Query time: 12 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Fri Oct 6 17:16:46 2017
;; MSG SIZE rcvd: 98
Other queries, like A, ANY or SOA, works perffectly.
I asked for a verification on firewall but the owners said me that there’s no problem with ‘query blocking’ on their side…
Does anybody have an idea of what to do next?
Thanks all !
