SERVFAIL looking up CAA

Hi everyone,

My domain is: pop3.robinson.it

I ran this command: sudo ./certbot-auto certonly --agree-tos --rsa-key-size 4096 --renew-by-default -m hostmaster@robinson.it --webroot -w /var/www/html/ -d pop3.robinson.it --renew-by-default --test-cert

It produced this output:
Domain: pop3.robinson.it
Type: connection
Detail: DNS problem: SERVFAIL looking up CAA for pop3.robinson.it

My operating system is: Ubuntu 12.04.4 LTS
My web server is: Apache/2.2.22
My hosting provider: myself

I’ve read many post on https://community.letsencrypt.org/search?q=caa without finding a reply.
I don’t have DNSSEC/CAA, from other topics this doesn’t seems to be a problem. Tell me if I’m wrong.
Being a provider, I checked my dns from an external site, the answer for CAA record is NOERROR

dig @8.8.8.8 poP3.roBinson.it caa

; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> @8.8.8.8 poP3.roBinson.it caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14254
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;poP3.roBinson.it. IN A

;; ANSWER SECTION:
poP3.roBinson.it. 84782 IN A 89.96.131.132

;; Query time: 47 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Apr 13 09:57:25 CEST 2017
;; MSG SIZE rcvd: 61

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51039
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;caa. IN A

;; AUTHORITY SECTION:
. 86397 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017041300 1800 900 604800 86400

;; Query time: 37 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Apr 13 09:57:25 CEST 2017
;; MSG SIZE rcvd: 107

this digs from my ns1.robinson.it, not recursive DNS server
same reply for ns2.robinson.it

dig @ns1.robinson.it poP3.roBinson.it caa

; <<>> DiG 9.9.5-3ubuntu0.1-Ubuntu <<>> @ns1.robinson.it poP3.roBinson.it caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 911
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;poP3.roBinson.it. IN A

;; ANSWER SECTION:
poP3.roBinson.it. 86400 IN A 89.96.131.132

;; Query time: 16 msec
;; SERVER: 89.96.131.135#53(89.96.131.135)
;; WHEN: Thu Apr 13 10:00:13 CEST 2017
;; MSG SIZE rcvd: 61

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3238
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;caa. IN A

;; AUTHORITY SECTION:
. 3600 IN SOA webm01. hostmaster. 228 900 600 86400 3600

;; Query time: 15 msec
;; SERVER: 89.96.131.135#53(89.96.131.135)
;; WHEN: Thu Apr 13 10:00:13 CEST 2017
;; MSG SIZE rcvd: 83

please help me to address the problem.

You’re using an older version of dig that doesn’t know what CAA is. “dig pop3.robinson.it caa” does a query for pop3.robinson.it. of type A and then does a query for caa. of type A.

“dig pop3.robinson.it type257” should do a proper CAA query. (CAA is, well, type number 257, and dig supports querying for arbitrary, unsupported types by number.)

CAA queries really do fail for me.

$ digr pop3.robinson.it caa @ns1.robinson.it.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse pop3.robinson.it caa @ns1.robinson.it.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 39296
;; flags: qr aa ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pop3.robinson.it.              IN      CAA

;; Query time: 140 msec
;; SERVER: 89.96.131.135#53(89.96.131.135)
;; WHEN: Thu Apr 13 09:00:55 UTC 2017
;; MSG SIZE  rcvd: 45

$ digr pop3.robinson.it caa @ns2.robinson.it.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +norecurse pop3.robinson.it caa @ns2.robinson.it.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 29324
;; flags: qr aa ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pop3.robinson.it.              IN      CAA

;; Query time: 215 msec
;; SERVER: 88.60.157.243#53(88.60.157.243)
;; WHEN: Thu Apr 13 09:00:59 UTC 2017
;; MSG SIZE  rcvd: 45

What DNS server are you using? Do you know what could be wrong?

1 Like

Hello @rbinson,

You are using parameter --test-cert, that means that you are using staging server so that is fine to test that your cert could be issued but staging server won't ignore if your DNS server returns a SERVFAIL when trying resolve a CAA record. If you remove --test-cert you should be able to issue your real cert but, well, later this year Let's Encrypt will move this requirement to production and if you don't solve your CAA record issue you could not renew/issue certs.

Your dig version does not support CAA records so you are not asking for CAA record, instead use -t TYPE257 and you will see that Google DNS resolvers will give you a SERVFAIL and your DNS servers ns1.robinson.it and ns2.robinson.it will give you a REFUSED answer.

$ dig @8.8.8.8 poP3.roBinson.it -t TYPE257

; <<>> DiG 9.9.7 <<>> @8.8.8.8 poP3.roBinson.it -t TYPE257
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14236
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;poP3.roBinson.it.              IN      CAA

;; Query time: 291 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: jue abr 13 11:02:05     2017
;; MSG SIZE  rcvd: 45

$ dig @ns1.robinson.it poP3.roBinson.it -t TYPE257

; <<>> DiG 9.9.7 <<>> @ns1.robinson.it poP3.roBinson.it -t TYPE257
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 47814
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;poP3.roBinson.it.              IN      CAA

;; Query time: 46 msec
;; SERVER: 89.96.131.135#53(89.96.131.135)
;; WHEN: jue abr 13 11:02:19     2017
;; MSG SIZE  rcvd: 45

$ dig @ns2.robinson.it poP3.roBinson.it -t TYPE257

; <<>> DiG 9.9.7 <<>> @ns2.robinson.it poP3.roBinson.it -t TYPE257
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 19034
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;poP3.roBinson.it.              IN      CAA

;; Query time: 102 msec
;; SERVER: 88.60.157.243#53(88.60.157.243)
;; WHEN: jue abr 13 11:02:24     2017
;; MSG SIZE  rcvd: 45

Edit: @mnordhoff beat me for 1 minute ;).

Cheers,
sahsanu

1 Like

Hello mnordhoff and sahsanu
I’ve seen my error and now I know where to look to solve it.
mnordhoff won :smile:
thank you very much

1 Like

SOLVED

  • Congratulations! Your certificate and chain have been saved…

It was a problem with my firewall, my proxy rule did not handle query type above 255.
It was also due to my poor knowledge about the use of dig tool.
:disappointed:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.