SERVFAIL for A record, can't reproduce outside of Let's Encrypt

_az · September 21, 2017, 9:27pm

Hello,

We are experiencing an odd issue with a client with the following error for the FQDN clients.mishraservers.com:

'urn:acme:error:connection': DNS problem: SERVFAIL looking up A for clients.mishraservers.com

Only thing is though, we can’t reproduce this DNS response outside of the http-01 validation process.

I have tried from multiple locations to run dig +trace clients.mishraservers.com a and the resolution is occuring correctly with status NOERROR. Same with querying direct to its NS or to caching nameservers.

Would somebody with an internal view of Boulder be able to see what is happening?

Thank you kindly!
Alex

mkwm · September 21, 2017, 9:35pm

Your domain has some issues with DNSSEC (unboundtest.com mimics configuration of DNS resolvers used by Let’s Encrypt):
https://unboundtest.com/m/CAA/clients.mishraservers.com/2TCHGHIA

info: NSEC RRset for the referral proved not a delegation point

If you try checking your domain with DNSViz, which is pretty good DNSSEC diagnostic tool, you’ll also get errors:
http://dnsviz.net/d/clients.mishraservers.com/dnssec/.

It seems there are some problems with the way the domain is delegated.

_az · September 21, 2017, 9:57pm

Perfect! Thanks for unboundtest.com, that will be a great help in future cases.

system · October 21, 2017, 9:57pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.