SERVFAIL looking up TXT record when doing dns-01 challenge


#1

Hi,
I am attempting to generate a certificate for the domain new.hellomouse.net with a dns-01 challenge. The DNS record is successfully added and can be seen from Google DNS and directly, however, the server says the DNS request fails due to a SERVFAIL (or in rare cases, due to timeouts).

Direct request to DNS server:

$ dig @ns1.hellomouse.net _Acme-cHallenge.NEw.hellomouSe.Net txt

; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> @ns1.hellomouse.net _Acme-cHallenge.NEw.hellomouSe.Net txt
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5454
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;_acme-challenge.new.hellomouse.net. IN	TXT

;; ANSWER SECTION:
_Acme-cHallenge.NEw.hellomouSe.Net. 5 IN TXT	"Zcb9-B9vBguJBdkkubyAtIOM3JgPERwVZ3_ojvwi0eg"

;; Query time: 185 msec
;; SERVER: 91.92.144.105#53(91.92.144.105)
;; WHEN: Sun May 20 15:23:14 PDT 2018
;; MSG SIZE  rcvd: 142

Request to Google DNS:

$ dig @8.8.8.8 _Acme-cHallenge.NEw.hellomouSe.Net txt           

; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> @8.8.8.8 _Acme-cHallenge.NEw.hellomouSe.Net txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42874
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_Acme-cHallenge.NEw.hellomouSe.Net. IN	TXT

;; ANSWER SECTION:
_Acme-cHallenge.NEw.hellomouSe.Net. 4 IN TXT	"Zcb9-B9vBguJBdkkubyAtIOM3JgPERwVZ3_ojvwi0eg"

;; Query time: 279 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun May 20 15:23:31 PDT 2018
;; MSG SIZE  rcvd: 119

Error given by Let’s Encrypt:

new.hellomouse.net:Verify error:DNS problem: SERVFAIL looking up TXT for _acme-challenge.new.hellomouse.net

Earlier, attempting to verify the domains hellomouse.net, io.hellomouse.net, and www.hellomouse.net succeeded.

Command:

./acme.sh --issue -d new.hellomouse.net --staging --dns dns_hm --dnssleep 300 -k ec-256 --log-level 2 --syslog 6 --cert-file /root/certs/new/cert.pem --key-file /root/certs/new/privkey.pem --fullchain-file /root/certs/new/fullchain.pem --reloadcmd /root/certs/new/postrenew --home /root/.acme.sh --debug

The DNS server is a custom server written in Node.js. It returns NOERROR and no response for CAA requests, as it is supposed to do.


#2

Hi @iczero,

I think the problem may be that the server responds properly (?) in IPv4 at 91.92.144.105, but not in IPv6 at 2a07:1c44:3980::1.


#3

@schoen,

Thanks a lot for your help. The AAAA records for the nameservers were indeed pointing to the old DNS server. After updating them, it seems that everything is working again.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.