It doesn’t work for my own resolver, or Google Public DNS, at least reliably.
Let’s Encrypt’s resolvers use randomized capitalization to increase security; i’m not certain, but that seems to be a problem in your case. Lowercase queries always seem to work, capitalized ones fail for some reason.
I don’t suppose it’s using PowerDNS, and a version older than 4.0.4?
Since when have they been doing this “trick” with the capitalization? I haven’t encountered this problem before. I see the same errors with random capitals as you do on @publicdns.goog, though not on any of the authorative servers (@ns[1-3].is.nl). Which ones would Let’s Encrypt query?
I don’t know what server my provider is using, but I will ask them to look into this.
For reference the "trick" is usually referred to as "0x20 randomization" and as far as I'm aware we've been using it since launch. I suspect the only change was the CAA servfail change. We've seen some other nameservers have a strange interaction between 0x20 and CAA records.
Ok, so that change might be what triggered the problem for me.
My provider is using the DNS server “Go away, no need to know!” so I don’t know what they are using, but can any of you verify that that there is a problem on their end?
The other thing is the 0x20 randomization, but I could only trigger that on the Google Server, not on their own. They seem to have some kind of rate limiting set up though, so right now I’m unable to test it directly @ns01.is.nl, though for now it seems to work fine on @8.8.8.8.
Can anyone provide some insight into this? My provider is not being very helpful.
I seem to get the error quite randomly on public DNS servers, but never on any of name servers registered with the domain, e.g. dig @ns01.is.nl Reports.MENziS.fACetBASE.NL CAA -> NOERROR
What could be the issue? Is it possible there is a misconfiguration on their end, even if their own server doesn't show an error?
How are you testing against the authoritative nameservers? Can you share the commands? Is it possible you're testing with public DNS servers that enforce DNSSEC (e.g. Google 8.8.8.8) and not enforcing DNSSEC when you test directly against the authoritative nameserver (e.g. with dig)?
Google and Verisign both enforce DNSSEC by default, unless you explicitly ask them not to (+cd). +dnssec just changes how much information they return.
Thanks, that’s a good tip. The TTL for A records hasn’t seemed to help.
Adding +cd changes the status from SERVFAIL to NOERROR for the Verisign case.
What is the switch to enforce DNSSEC for a server which doesn’t enforce it by default? (I couldn’t figure it out from dig -help). That would help me to further test ns01.is.nl and help show the provider what’s going wrong.
Good to have that confirmed Andrei. The problem is that so far I’ve been unable to trigger a SERVFAIL on those name servers, so I can’t prove to the provider that their DNS is misconfigured.
If you or anyone could show me the dig command(s) to trigger the SERVFAIL, it’s more likely that they will take me seriously.
To be clear the site I’m trying to renew is https://live.du.reports.menzis.facetbase.nl, but the error I get back from the ACME server is “SERVFAIL looking up CAA for reports.menzis.facetbase.nl”. So the actual certificate that I’m trying to renew is for a domain two levels deeper than the one the CAA fails for according to the ACME server.
That website you just linked shows errors requesting CAA records at every level of the domain except for the root, though most of them seem to be timeouts.
I am not sure how Let’s Encrypt deals with nested domains such as yours. I would wait until some of the people who have a better understanding chip in.
There probably isn't any. dig is a relatively simple program. Authoritative DNS servers rarely return SERVFAIL directly. Usually, in a situation like this, it's synthesized by the recursive DNS server when it encounters one or more of a variety of error conditions, such as the domain's authoritative DNS servers being down, or responding with an error code, or responding with invalid data -- all of which Namebright is guilty of -- or DNSSEC that fails validation, and so forth.
In many of those cases, dig against the authoritative server will show some sort of valid-looking-ish response, or a different sort of error.
Edit: Oops, i thought this was the Namebright thread, not the is.nl thread. I'm sorry. Still, it doesn't change the rest of my response.
It looks for a CAA record, left to right, stopping when it gets one or when it reaches the public suffix.
E.g. if you validate www.example.com, it will do CAA queries for www.example.com. and example.com..
A deeply nested case like in this thread is exactly the same except with, uh, more queries.
(In Boulder's case, prioritizing speed over resource usage, it fires off each DNS query in parallel and sorts out the results afterwards, rather than going one at a time, but that doesn't really matter.)
As @mnordhoff says, we check the FQDN, and each parent, from left to right. That means that if the nameserver for live.du.reports.menzis.facetbase.nl supports adding CAA records, you can just add a CAA record permitting issuance, and everything will work nicely. Read more here.
The same happens for me, when trying to renew the cert for m.auditcenter.hu. Also https://unboundtest.com/ shows an error message. All the other 160 domains for which I use Let’s Encrypt with the exact same configuration (from the exact same server) work correctly.