SERVFAIL looking up CAA for jbh1.i2rs.nl , even when done numerous times

kwoot · January 18, 2021, 8:51am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: i2rs.nl

I ran this command: (even in a loop but to no avail) certbot certonly --nginx --dry-run -d "jbh1.i2rs.nl"

It produced this output:

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> -t caa i2rs.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22159
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;i2rs.nl. IN CAA

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Jan 17 11:20:36 CET 2021
;; MSG SIZE rcvd: 36

root@h1-ub18-jbh:~# certbot certonly --nginx --dry-run -d 'jbh1.i2rs.nl'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Simulating a certificate request for jbh1.i2rs.nl
Performing the following challenges:
http-01 challenge for jbh1.i2rs.nl
Waiting for verification...
Challenge failed for domain jbh1.i2rs.nl
http-01 challenge for jbh1.i2rs.nl
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: jbh1.i2rs.nl
Type: dns
Detail: DNS problem: SERVFAIL looking up CAA for jbh1.i2rs.nl - the
domain's nameservers may be malfunctioning

My web server is (include version): ningx 1.14.0

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): snap certbot 1.11.0 889

IMPORTANT NOTES:

The following errors were reported by the server:

Detail: DNS problem: SERVFAIL looking up CAA for jbh1.i2rs.nl - the

JuergenAuer · January 18, 2021, 10:21am

Hi @kwoot

looks like

your dns configuration is buggy (and)
my tool https://check-your-website.server-daten.de/?q=jbh1.i2rs.nl has a small bug, so it's buggy too.

First, rechecked with Unboundtest (same as Letsencrypt uses) - same result: Servfail. https://unboundtest.com/m/CAA/jbh1.i2rs.nl/ZXP2DL6F

validate(nodata): sec_status_bogus

Same result with a local Unbound version:

[1610963311] libunbound[22428:0] info: validate(nodata): sec_status_bogus
jbh1.i2rs.nl. has no CAA record (BOGUS (security failure))
validation failure <jbh1.i2rs.nl. CAA IN>: nodata proof failed from 2001:678:76c:167:53::10 and 178.251.195.254

But there - https://check-your-website.server-daten.de/?q=jbh1.i2rs.nl - all is green.

But:

You have a wildcard *.i2rs.nl A 159.65.192.235
You have an explicit A: jbh1.i2rs.nl A 148.251.150.51

So the domain name jbh1.i2rs.nl exists in your zone.

But checking CAA there is a Not-Existing-proof:

CAA-Query sends a valid NSEC3 RR as result with the hashed query name "dk9hekuqpi76428gr717cruqa3ahcjf6" between the hashed NSEC3-owner "cvdcv3m6sf75di9skda6nrh88kodshtr" and the hashed NextOwner "f00277a6phmt990ts4m9lv6a18970ni2". So the zone confirmes the not-existence of that CAA RR.

That NSEC3 is wrong. Same with the not existing AAAA.

Is your DNSSEC zone definition up to date? Recalculate your zone.

kwoot · January 18, 2021, 10:44am

Thank you!
I added a CAA record for jbh1.i2rs.nl and now a dry-run works!
But I still not understand why I had to add a CAA record specific for this host when the certbot docs say it's not mandatory.
Regards, Jeroen

JuergenAuer · January 18, 2021, 10:51am

That's expected.

You use DNSSEC
Your DNSSEC implementation is buggy
The bug isn't visible if a CAA exists (then the CAA is sent back with a signing RRSIG)
The bug is visible if you don't have a CAA, then a NoData/NotExisting-proof is required. You have an A-record -> so it must be a NoData-proof -> but you send a NotExisting-proof -> that's your buggy system

Your system says:

jbh1.i2rs.nl exists and doesn't exist -> bogus.

kwoot · January 18, 2021, 11:13am

Hi,

I do not see any DNSKEY records, and my only way to manage my zone file is through a web interface.
and dig DNSKEY i2rs.nl. +multiline is emtpy.
So how do you see I use DNSSEC? That way I can contact my DNS providers support department.

Kind regards,
Jeroen Baten

JuergenAuer · January 18, 2021, 11:28am

Your parent zone has a DS -> you use DNSSEC:

dig DS i2rs.nl.

shows your DS, same with DNSKEY.

Or use online tools, then you see a lot of results.

kwoot · January 19, 2021, 9:00am

Funny. When I do dig DS i2rs.nl I see nothing. It could be that the DNS provider had an error. Could you please recheck and confirm that I still have a DS?

JuergenAuer · January 19, 2021, 9:22am

You have one and your configuration is buggy. Looks like you use a not working DNS.

Please use online tools.

:~$ dig DS i2rs.nl.

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> DS i2rs.nl.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14255
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;i2rs.nl. IN DS

;; ANSWER SECTION:
i2rs.nl. 3600 IN DS 57517 8 2 9B99CAF6CD9D1A76295CEA22AE84A80C71F034B207808899FEE1D248 09457145

;; Query time: 21 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Tue Jan 19 10:20:25 CET 2021
;; MSG SIZE rcvd: 84

kwoot · January 19, 2021, 10:01am

This is so weird!
One query from my own Ubuntu 20.04 desktop system and one directed at the NS of my DNS provider:

Why do you see a DS and I don't?

$ dig DS i2rs.nl.

; <<>> DiG 9.16.1-Ubuntu <<>> DS i2rs.nl.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57411
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;i2rs.nl. IN DS

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: di jan 19 10:57:54 CET 2021
;; MSG SIZE rcvd: 36

$ dig @ns.argewebhosting.nl -t DS i2rs.nl.

; <<>> DiG 9.16.1-Ubuntu <<>> @ns.argewebhosting.nl -t DS i2rs.nl.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40262
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;i2rs.nl. IN DS

;; AUTHORITY SECTION:
i2rs.nl. 3600 IN SOA ns1.argewebhosting.eu. hostmaster.argeweb.nl. 2021011800 10800 3600 604800 3600

;; Query time: 7 msec
;; SERVER: 5.100.229.198#53(5.100.229.198)
;; WHEN: di jan 19 10:58:24 CET 2021
;; MSG SIZE rcvd: 112

_az · January 19, 2021, 10:20am

Looks like you already worked this out?

Key tag 57517 is present in both the nl zone (your DS record) and in your actual zone (one of the DNSKEY records on e.g. ns.argewebhosting.nl).

JuergenAuer · January 19, 2021, 10:26am

Your local system is buggy or not completely recursive.

dig @ns.argewebhosting.nl -t DS i2rs.nl.

may be the wrong server, you must ask the parent zone, not your zone.

kwoot · January 19, 2021, 1:15pm

Sorry, I give up.
Other work to do. Thanks everyone for your time and attention. I really appreciate it.

Regards,
Jeroen

system · February 18, 2021, 1:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.