Query timed out looking up A for - wildcard CNAME problem

Hello,

i recently ran into a problem with creating new certificates, and found a strange behaviour in DNS lookup from LE side. (certificate creation through HTTP-01 (acme-challenge)).

When domain has wildcard CNAME - like *.somedomain.com CNAME somedomain.com, and you try create certificate for www.somedomain.com - it will fail with error: “Verify error:DNS problem: query timed out looking up A for www.somedomain.com”

(Even with everything reporting correct - DNSSEC [dnsviz], letsdebug, etc…)

If you explicitly put into DNS: www.somedomain.com CNAME somedomain.com

Then everything works out perfectly - does something changed in Let’s Encrypt policy or am i doing something wrong?

As far as I know, the Let’s Encrypt validation server itself doesn’t have any clue what goes around the DNS resolvers (Unbound) internals. It just expects an IP address as a result, it lets the DNS resolver do its work.

Without the actual domain name we can’t help you debug it though.

There’s a decent number about threads of people running into problems with wildcard CNAMEs. I’m still convinced they’re a bad idea .

Without knowing the domain, my guess would be that the wildcard CNAME causes an increased volume of DNS queries, and that increased volume leads to some of the queries being dropped.

e.g. The wildcard causes lookups for (presumably non-existent) CAA records to result in follow-up queries as the CNAME is followed.

Thanks for reply.

Putting domain info with timestamps down below:

[Tue May 5 06:57:56 CEST 2020] www.jak-na-to.eu:Verify error:DNS problem: query timed out looking up A for www.jak-na-to.eu
[Tue May 5 06:58:41 CEST 2020] www.superpozickypresov.sk:Verify error:DNS problem: query timed out looking up A for www.superpozickypresov.sk
[Tue May 5 11:29:00 CEST 2020] www.facebook.jak-na-to.eu:Verify error:DNS problem: query timed out looking up A for www.facebook.jak-na-to.eu
[Tue May 5 11:29:53 CEST 2020] www.facebook.jak-na-to.eu:Verify error:DNS problem: query timed out looking up A for www.facebook.jak-na-to.eu
[Tue May 5 11:32:18 CEST 2020] www.twitter.jak-na-to.eu:Verify error:DNS problem: query timed out looking up A for www.twitter.jak-na-to.eu
[Tue May 5 11:36:29 CEST 2020] www.zhubnout.jak-na-to.eu:Verify error:DNS problem: query timed out looking up A for www.zhubnout.jak-na-to.eu
[Tue May 5 11:38:45 CEST 2020] www.facebook.jak-na-to.eu:Verify error:DNS problem: query timed out looking up A for www.facebook.jak-na-to.eu

You’ve got the wildcard CNAME RR back again?

I am kinda happy for wildcard CNAMEs, if you’re developer and need a lot of dev versions of web page. For like client1.superdeveloper.xxx, client2.superdeveloper.xxx…

i put few domains, in comment. However now they have fixed the CNAME problem, so currently they will not be any problem - that’s why i showed also the timestamps, so admin or anybody who have access can check in LE logs, or further investigate the issue.

Hi @KanibalCz

there is a check of that domain, Monday morning - https://check-your-website.server-daten.de/?q=jak-na-to.eu

You use ns.gransy.com and 4 other name servers.

There is another topic:

Same dns provider. May be there are some problems.

Yes, there is wildcard + www. CNAME. It is client domain, don’t want to remove the wildcard because of subdomains.

If you use a wildcard A record instead of a wildcard CNAME, does it still exhibit the same issue?

i.e.

*.somedomain.com IN A 1.2.3.4

Or do you need all the other RR types to be aliased as well?

Thanks for reply. I saw that thread and because of rg305 reply i tried explicit www. CNAME and it worked.

Prior to this thread i did a lot of testing and checks on DNS servers (world wide propagations etc…), really don’t want to bother everybody because of some problem that is not even on LE side.

Thanks for reply, i’ll try that on some domain. Give me time, i’ll post the results.

I confirm, that wildcard A records works.

Tested domain: testssl.snypoznani.cz and www.testssl.snypoznani.cz

Wildcard record: *.snypoznani.cz IN A 79.98.78.149

Looks like there is only problem with Wildcard CNAME record.

Looks like the main problem was a configuration problem of the gransy.com zone.

Read

gransy.com didn't send Glue records, instead the next SOA with the next name server.

Looked like a name server loop -> unbound needs too long -> stop.

Should be fixed now, so wildcard CNAME should work. More time to do these checks.

Thank you for your reply, i checked that thread. I am a customer of gransy, did not realize that it could be this problem. Thank you for your clarification, and i am sorry to have bothered you. Have a nice day

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.