SERVFAIL Looking for CAA

Hi! First of all, I looked up similar questions.

I have a problem issuing certificates for farmaciahercules.com.
The following errors were reported by the server:

Domain: www.farmaciahercules.com
Type: None
Detail: DNS problem: SERVFAIL looking up CAA for
farmaciahercules.com

Did a dig on the domain and seems like it’s all OK to me. Any ideas? Thanks

; <<>> DiG 9.9.5-9+deb8u17-Debian <<>> farmaciahercules.com CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40960
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;farmaciahercules.com.		IN	A

;; ANSWER SECTION:
farmaciahercules.com.	85	IN	CNAME	rizzo.evolufarma.es.
rizzo.evolufarma.es.	235	IN	A	149.202.193.224

;; AUTHORITY SECTION:
evolufarma.es.		76662	IN	NS	ns1.cdmon.net.
evolufarma.es.		76662	IN	NS	ns2.cdmon.net.

;; ADDITIONAL SECTION:
ns1.cdmon.net.		159417	IN	A	35.189.106.232
ns2.cdmon.net.		159417	IN	A	35.195.57.29

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 13 10:05:24 CET 2019
;; MSG SIZE  rcvd: 175

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46451
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;CAA.				IN	A

;; AUTHORITY SECTION:
.			10434	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2019031300 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 13 10:05:24 CET 2019
;; MSG SIZE  rcvd: 107

The nameservers for evolufarma.es might work, but the nameservers for farmaciahercules.com actually return SERVFAIL.

$ dig +dnssec +norecurse @82.194.64.51 farmaciahercules.com caa

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec +norecurse @82.194.64.51 farmaciahercules.com caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5130
;; flags: qr aa ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;farmaciahercules.com.          IN      CAA

;; ANSWER SECTION:
farmaciahercules.com.   3600    IN      CNAME   rizzo.evolufarma.es.

;; AUTHORITY SECTION:
farmaciahercules.com.   3600    IN      SOA     dns1.canaldominios.com. dns.canaldominios.com. 1 7200 1800 151200 3600

;; Query time: 146 msec
;; SERVER: 82.194.64.51#53(82.194.64.51)
;; WHEN: Wed Mar 13 09:21:15 UTC 2019
;; MSG SIZE  rcvd: 130

I’d guess that’s probably the problem.

By the way, it’s not legal to have a CNAME record at the zone apex. Though it probably has nothing directly to do with this problem.

3 Likes

Thx for the fast response. Now I see the Issue. Thanks! Is fixed now

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.