SERVFAIL for all .wien TLDs

PIT_Support · September 26, 2018, 3:29pm

We have multiple .wien domains that were able to obtain LE certificates but within the last month renewal fails throwing the following message: 'DNS problem: SERVFAIL looking up A for erfolgsrechner.wien' (same message for other .wien domains)

all .wien domains are affected
there are no problems with multiple other TLDs using the same software on the same machine
none of the .wien domains have DS records
there are no issues when querying the domains on 1.1.1.1, 8.8.8.8 or 9.9.9.9

Can someone confirm or refute that this is a LE problem with the resolution of .wien domains? Thank you!

My domain is: erfolgsrechner.wien

I ran this command: [own implementation]

It produced this output:

The CA was unable to validate the file you provisioned
urn:acme:error:unauthorized
DNS problem: SERVFAIL looking up A for erfolgsrechner.wien

I can login to a root shell on my machine: yes

jared.m · September 26, 2018, 3:39pm

It appears that your authoritative nameservers fail to properly respect 0x20 randomization. This is a security method to make DNS spoofing more difficult by randomizing the case of the request. For example, if I ask 8.8.8.8 for the A record of eRfoLgsREchner.wien, I will see the answer come back with tho same capitalization. However, if I ask your authoritative nameservers (as Let’s Encrypt does), I get back the name in all lowercase, which is treated as invalid.

mnordhoff · September 26, 2018, 3:54pm

Unbound doesn’t entirely give up, though. It will fall back, send multiple queries, and accept the answer if they match.

It usually succeeds, though usually not quickly.

It’s strange that Let’s Encrypt reported a SERVFAIL error. Success or a timeout would be more typical.

Unboundtest succeeds, slowly.

https://unboundtest.com/m/A/erfolgsrechner.wien/NRBQM43V
https://unboundtest.com/m/AAAA/erfolgsrechner.wien/T6EQYZYK

PIT_Support · September 26, 2018, 4:44pm

Seems reasonable, I will check on that. Although the same nameservers are used for other TLDs without any problems. Is there any explanation why only responses for .wien domains would be treated as invalid but not for .com or .at domains on the same machine and the exact same authoritative nameservers?

jsha · September 26, 2018, 5:16pm

Can you give some examples of .com and .at domains with the same authoritative nameservers?

PIT_Support · September 26, 2018, 5:29pm

Sure, givester.com , jobfox.at and lok.at are using the same authoritative nameservers and the same reverse proxy server.

I will make sure 0x20 randomization works correctly in a few hours or maybe tomorrow but won’t change anything at least within the next 2 hours to make sure results are consistent.

JuergenAuer · September 26, 2018, 5:36pm

Hi @PIT_Support

it's curious: Both domains answers with lowercases, so it's invalide:

D:\temp>nslookup -type=A ErFolgsrechner.wien. nsx.puaschitz.at.
Name: erfolgsrechner.wien
Address: 193.34.206.79

D:\temp>nslookup -type=A GiVesteR.com. nsx.puaschitz.at.
Name: givester.com
Address: 193.34.206.79

My own domain - up and down.

D:\temp>nslookup -type=A www.SerVer-Daten.de. ns.inwx.de.
Name: www.SerVer-Daten.de
Address: 85.215.2.228

PIT_Support · September 26, 2018, 8:06pm

It was the 0x20 randomization indeed. I fixed it in my own DNS implementation on nsX and now certificate renewal for all .wien domains works again. I still don’t know why BIND9 on ns1 sends lowercase answers or why this issue only occured with .wien domains but at least it works again. (The BIND thing is not even my department so someone else will have to fix this.)

Thanks alot to everyone here for your quick and helpful responses!

system · October 26, 2018, 8:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.