SERVFAIL looking up CAA for jbh1.i2rs.nl , even when done numerous times

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: i2rs.nl

I ran this command: (even in a loop but to no avail) certbot certonly --nginx --dry-run -d "jbh1.i2rs.nl"

It produced this output:

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> -t caa i2rs.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22159
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;i2rs.nl. IN CAA

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Jan 17 11:20:36 CET 2021
;; MSG SIZE rcvd: 36

root@h1-ub18-jbh:~# certbot certonly --nginx --dry-run -d 'jbh1.i2rs.nl'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Simulating a certificate request for jbh1.i2rs.nl
Performing the following challenges:
http-01 challenge for jbh1.i2rs.nl
Waiting for verification...
Challenge failed for domain jbh1.i2rs.nl
http-01 challenge for jbh1.i2rs.nl
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: jbh1.i2rs.nl
    Type: dns
    Detail: DNS problem: SERVFAIL looking up CAA for jbh1.i2rs.nl - the
    domain's nameservers may be malfunctioning

My web server is (include version): ningx 1.14.0

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): snap certbot 1.11.0 889

IMPORTANT NOTES:

  • The following errors were reported by the server:

Detail: DNS problem: SERVFAIL looking up CAA for jbh1.i2rs.nl - the

1 Like

Hi @kwoot

looks like

First, rechecked with Unboundtest (same as Letsencrypt uses) - same result: Servfail. https://unboundtest.com/m/CAA/jbh1.i2rs.nl/ZXP2DL6F

validate(nodata): sec_status_bogus

Same result with a local Unbound version:

[1610963311] libunbound[22428:0] info: validate(nodata): sec_status_bogus
jbh1.i2rs.nl. has no CAA record (BOGUS (security failure))
validation failure <jbh1.i2rs.nl. CAA IN>: nodata proof failed from 2001:678:76c:167:53::10 and 178.251.195.254

But there - https://check-your-website.server-daten.de/?q=jbh1.i2rs.nl - all is green.

But:

  • You have a wildcard *.i2rs.nl A 159.65.192.235
  • You have an explicit A: jbh1.i2rs.nl A 148.251.150.51

So the domain name jbh1.i2rs.nl exists in your zone.

But checking CAA there is a Not-Existing-proof:

CAA-Query sends a valid NSEC3 RR as result with the hashed query name "dk9hekuqpi76428gr717cruqa3ahcjf6" between the hashed NSEC3-owner "cvdcv3m6sf75di9skda6nrh88kodshtr" and the hashed NextOwner "f00277a6phmt990ts4m9lv6a18970ni2". So the zone confirmes the not-existence of that CAA RR.

That NSEC3 is wrong. Same with the not existing AAAA.

Is your DNSSEC zone definition up to date? Recalculate your zone.

2 Likes

Thank you!
I added a CAA record for jbh1.i2rs.nl and now a dry-run works!
But I still not understand why I had to add a CAA record specific for this host when the certbot docs say it's not mandatory.
Regards, Jeroen

1 Like

That's expected.

  • You use DNSSEC
  • Your DNSSEC implementation is buggy
  • The bug isn't visible if a CAA exists (then the CAA is sent back with a signing RRSIG)
  • The bug is visible if you don't have a CAA, then a NoData/NotExisting-proof is required. You have an A-record -> so it must be a NoData-proof -> but you send a NotExisting-proof -> that's your buggy system

Your system says:

jbh1.i2rs.nl exists and doesn't exist -> bogus.

2 Likes

Hi,

I do not see any DNSKEY records, and my only way to manage my zone file is through a web interface.
and dig DNSKEY i2rs.nl. +multiline is emtpy.
So how do you see I use DNSSEC? That way I can contact my DNS providers support department.

Kind regards,
Jeroen Baten

2 Likes

Your parent zone has a DS -> you use DNSSEC:

dig DS i2rs.nl.

shows your DS, same with DNSKEY.

Or use online tools, then you see a lot of results.

3 Likes

Funny. When I do dig DS i2rs.nl I see nothing. It could be that the DNS provider had an error. Could you please recheck and confirm that I still have a DS?

1 Like

You have one and your configuration is buggy. Looks like you use a not working DNS.

Please use online tools.

:~$ dig DS i2rs.nl.

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> DS i2rs.nl.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14255
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;i2rs.nl. IN DS

;; ANSWER SECTION:
i2rs.nl. 3600 IN DS 57517 8 2 9B99CAF6CD9D1A76295CEA22AE84A80C71F034B207808899FEE1D248 09457145

;; Query time: 21 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Jan 19 10:20:25 CET 2021
;; MSG SIZE rcvd: 84

2 Likes

This is so weird!
One query from my own Ubuntu 20.04 desktop system and one directed at the NS of my DNS provider:

Why do you see a DS and I don't?

$ dig DS i2rs.nl.

; <<>> DiG 9.16.1-Ubuntu <<>> DS i2rs.nl.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57411
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;i2rs.nl. IN DS

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: di jan 19 10:57:54 CET 2021
;; MSG SIZE rcvd: 36

$ dig @ns.argewebhosting.nl -t DS i2rs.nl.

; <<>> DiG 9.16.1-Ubuntu <<>> @ns.argewebhosting.nl -t DS i2rs.nl.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40262
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;i2rs.nl. IN DS

;; AUTHORITY SECTION:
i2rs.nl. 3600 IN SOA ns1.argewebhosting.eu. hostmaster.argeweb.nl. 2021011800 10800 3600 604800 3600

;; Query time: 7 msec
;; SERVER: 5.100.229.198#53(5.100.229.198)
;; WHEN: di jan 19 10:58:24 CET 2021
;; MSG SIZE rcvd: 112

1 Like

Looks like you already worked this out?

Key tag 57517 is present in both the nl zone (your DS record) and in your actual zone (one of the DNSKEY records on e.g. ns.argewebhosting.nl).

1 Like

Your local system is buggy or not completely recursive.

dig @ns.argewebhosting.nl -t DS i2rs.nl.

may be the wrong server, you must ask the parent zone, not your zone.

2 Likes

Sorry, I give up.
Other work to do. Thanks everyone for your time and attention. I really appreciate it.

Regards,
Jeroen

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.