SERVFAIL looking up CAA .co domain

pnutster · November 7, 2017, 4:32pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://autotemp.co and http://autotemp.org

I ran this command:

It produced this output: DNS problem: SERVFAIL looking up CAA for autotemp.co (The server could not connect to the client for validation (urn:acme:error:connection))

DNS problem: SERVFAIL looking up CAA for autotemp.org (The server could not connect to the client for validation (urn:acme:error:connection))

My web server is (include version): cPanel / Centos 6 using

The operating system my web server runs on is (include version):
cPanel / Centos 6

Any clue - i double checked and Let’s encrypt should support .co and .org domain extensions?

schoen · November 7, 2017, 5:16pm

@jsha, could you take a look at this one?

sahsanu · November 7, 2017, 5:22pm

Hi @pnutster,

Your domains have defined 3 dns servers in .co and .org TLD domains.

ns1.optrics.net
ns2.optrics.net
ns3.optrics.net

ns1 and ns2 are saying you have 4 dns servers

ns1.optrics.net
ns2.optrics.net
ns3.optrics.net
ns4.optrics.net

ns3 and ns4 are refusing to give an answer for your domains, doesn’t matter what is the requested record ( CAA, A, AAAA, NS…) always returns REFUSED.

dig +cd +norec  @ns3.optrics.net autotemp.org  caa

; <<>> DiG 9.9.7 <<>> +cd +norec @ns3.optrics.net autotemp.org caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 49537
;; flags: qr cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;autotemp.org.                  IN      CAA

;; Query time: 199 msec
;; SERVER: 74.123.71.22#53(74.123.71.22)
;; WHEN: mar nov 07 18:19:55     2017
;; MSG SIZE  rcvd: 41

And the servers who are answering requests for your domains give a NOTIMP answer when requesting a CAA record and this is not a valid answer.

dig +cd +norec  @ns1.optrics.net autotemp.org  caa

; <<>> DiG 9.9.7 <<>> +cd +norec @ns1.optrics.net autotemp.org caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 16510
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;autotemp.org.                  IN      CAA

;; Query time: 198 msec
;; SERVER: 74.123.71.124#53(74.123.71.124)
;; WHEN: mar nov 07 18:21:49     2017
;; MSG SIZE  rcvd: 41

Maybe you should talk to your DNS provider or switch to another one.

Good luck,
cheers

cpu · November 7, 2017, 5:23pm

I was mid-reply to deliver the same set of information. Thanks @sahsanu, I think you hit this nail on the head

@pnutster You might find our documentation on CAA failures helpful. It discusses the NOTIMP reply that @sahsanu flagged:

Returning other opcodes, including NOTIMP, for unrecognized qtypes is a violation of RFC 1035, and needs to be fixed.

pnutster · November 7, 2017, 5:34pm

Thanks both @cpu and @sahsanu for your answers. We’ll look into having the nameservers switched.

system · December 7, 2017, 5:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.