SERVFAIL looking up CAA Warning

Help
1

We have a 3rd party vendor that runs one of our public websites. This vendor uses cPanel and issues SSL certs through that. We manage our DNS ourselves, so they are coming back to us with this error.

It's a warning but they are insisting it must be fixed.

The warning is:

WARN “Let’s Encrypt™” HTTP DCV error (www.redacteddomain.com): 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up CAA for www.redacteddomain.com- the domain's nameservers may be malfunctioning)

They are saying "you must create a CAA record for the domain www.redacteddomain.com" WWW is an A record, not a DNS zone, so there is no way to make a CAA record for it.

When we validate our CAA record for our domain redacteddomain.com it comes back as valid and includes letsencrypt

redacteddomain.com.	3600	IN	CAA	0 iodef "mailto:admin@redacteddomain.com"
redacteddomain.com.	3600	IN	CAA	0 issue "letsencrypt.org"
redacteddomain.com.	3600	IN	CAA	0 issue "sectigo.com"

why are we getting this warning when a SSL cert for lets encrypt is renewed? What causes it? what do you do about it? our CAA appears to be correct for the domain.

2

You can have a CAA record and A record coexist for the www subdomain. Multiple records on a single label is a common thing in DNS.

I am not convinced that creating the record would solve your problem, but you could certainly give it a go.

Try throw your www domain into unboundtest.com, letsdebug.net, disviz.net to see if it comes up with any issues as well.

4 Likes
3

I dont understand what you mean by " You can have a CAA record and A record coexist for the www subdomain."

We have an A record for WWW, and we have CAA records for our domain. Network solutions doesn't let you make a CAA for anything but the domain name

4

That's ... dumb.

Would you be able to take a screenshot of the user interface where they allow you to create CAA records?

3 Likes
5

I can't get into it right now from where I am right now, but when you go into manage DNS for your domain > add a record > change type of record to CAA you only get the following fields for the domain.

Record type (CAA)
Flag (integer)
tag (issue, wildissue, iodef)
Value (what string you want associated with the tag)

and that is it

6

You don't need to have a CAA record for your domain, but your DNS host needs to respond properly when asked for one. "There's no CAA record here" is a proper response. "What's a CAA record?" isn't. If your DNS host is giving SERVFAIL (i.e., "What's a CAA record?") when queried for the CAA record, it's very badly broken. Creating that record might solve the immediate problem, but the real solution is to use a less-broken DNS host.

5 Likes
7

Please ensure you are only using nameservers from this one DSP.
[mixing nameservers can be difficult to properly manage (for the inexperienced)]

1 Like
8

It's only giving SERVFAIL for the www.redacteddomain.com, it works fine for redacteddomain.com with no host name specified.

9

Please show all the entries for "www".

1 Like
10

The only www entries are

www.redacteddomain.com. 3600 IN	A	122.14.6.47

Network solutions only lets you add CAA as an @ root record

Screenshot 2022-03-05 214248
Screenshot 2022-03-05 214248587×692 32.7 KB

11

Please show that there are no other nameservers involved:

Use this format:
nslookup -q=ns redacteddomain.com

and show the output on the right side:
image

1 Like
12

Non-authoritative answer:
redacteddomain.com nameserver = ns59.worldnic.com
redacteddomain.com nameserver = ns60.worldnic.com

13

hmm...

Then, as that all shows, Network Solutions must be to blame for "SERVFAIL" response on CAA requests to "www".

2 Likes
14

Since (I suspect) your DNS zone is very simple, you could quickly/easily switch your DNS Service Provider (DSP) and see if the problem goes away.

[note: you don't have to switch the domain registrar]

2 Likes
15

They are notorious for messing this CAA thing up. Please host your DNS elsewhere.

Also: this is why you don't redact you domain name, if you hadn't, we could've seen that the nameservers didn't behave.

3 Likes
16

I have to follow our companies security policy unfortunately.

1 Like
17

That was a use case for paid consultants, I think.

Without the domain we can't query its DNS servers, we can't see how/what/where it responds, and a lot more things that are useful to help users.

1 Like
18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.