We have multiple .wien domains that were able to obtain LE certificates but within the last month renewal fails throwing the following message: 'DNS problem: SERVFAIL looking up A for erfolgsrechner.wien' (same message for other .wien domains)
all .wien domains are affected
there are no problems with multiple other TLDs using the same software on the same machine
none of the .wien domains have DS records
there are no issues when querying the domains on 1.1.1.1, 8.8.8.8 or 9.9.9.9
Can someone confirm or refute that this is a LE problem with the resolution of .wien domains? Thank you!
My domain is: erfolgsrechner.wien
I ran this command: [own implementation]
It produced this output:
The CA was unable to validate the file you provisioned
urn:acme:error:unauthorized
DNS problem: SERVFAIL looking up A for erfolgsrechner.wien
It appears that your authoritative nameservers fail to properly respect 0x20 randomization. This is a security method to make DNS spoofing more difficult by randomizing the case of the request. For example, if I ask 8.8.8.8 for the A record of eRfoLgsREchner.wien, I will see the answer come back with tho same capitalization. However, if I ask your authoritative nameservers (as Let’s Encrypt does), I get back the name in all lowercase, which is treated as invalid.
Seems reasonable, I will check on that. Although the same nameservers are used for other TLDs without any problems. Is there any explanation why only responses for .wien domains would be treated as invalid but not for .com or .at domains on the same machine and the exact same authoritative nameservers?
Sure, givester.com , jobfox.at and lok.at are using the same authoritative nameservers and the same reverse proxy server.
I will make sure 0x20 randomization works correctly in a few hours or maybe tomorrow but won’t change anything at least within the next 2 hours to make sure results are consistent.
It was the 0x20 randomization indeed. I fixed it in my own DNS implementation on nsX and now certificate renewal for all .wien domains works again. I still don’t know why BIND9 on ns1 sends lowercase answers or why this issue only occured with .wien domains but at least it works again. (The BIND thing is not even my department so someone else will have to fix this.)
Thanks alot to everyone here for your quick and helpful responses!