itolymp
February 10, 2019, 12:04pm
1
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: itolymp.com
I ran this command: certbot --manual certonly
It produced this output: Failed authorization procedure. itolymp.com (http-01): urn:acme:error:dns :: DNS problem: SERVFAIL looking up A for itolymp.com
The operating system my web server runs on is (include version): Ubuntu 16
I can login to a root shell on my machine (yes or no, or I don’t know): yes
Hi @itolymp
you have buggy nameservers ( https://check-your-website.server-daten.de/?q=itolymp.com ):
|X|Fatal error: Nameserver doesn't support TCP connection: ns10.uadns.com / 82.196.1.175|
|---|---|
|X|Fatal error: Nameserver doesn't support TCP connection: ns11.uadns.com / 192.241.147.88|
|X|Fatal error: Nameserver doesn't support TCP connection: ns11.uadns.com / 2604:a880:400:d0::1699:d001|
|X|Fatal error: Nameserver doesn't support TCP connection: ns12.uadns.com / 95.216.174.31|
|X|Fatal error: Nameserver doesn't support TCP connection: ns12.uadns.com / 2a01:4f9:c010:2624::1|
Authoritative name servers must support TCP connections:
https://www.iana.org/help/nameserver-requirements
Name server reachability
The name servers must answer DNS queries over both the UDP and TCP protocols on port 53. Tests will be conducted from multiple network locations to verify the name server is responding.
This tool sees an IP address.
Unboundtest (Letsencrypt uses the same config)
https://unboundtest.com/m/A/itolymp.com/ZJQXEETI
has the same SERVFAIL.
For me, TCP does respond.
It looks like the nameservers incorrectly respond to capitalized queries with a referral to the root:
$ dig +norecurse @2604:a880:400:d0::1699:d001 Itolymp.Com
; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> +norecurse @2604:a880:400:d0::1699:d001 Itolymp.Com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63279
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;Itolymp.Com. IN A
;; AUTHORITY SECTION:
. 3600000 IN NS J.ROOT-SERVERS.NET.
. 3600000 IN NS K.ROOT-SERVERS.NET.
. 3600000 IN NS L.ROOT-SERVERS.NET.
. 3600000 IN NS M.ROOT-SERVERS.NET.
. 3600000 IN NS A.ROOT-SERVERS.NET.
. 3600000 IN NS B.ROOT-SERVERS.NET.
. 3600000 IN NS C.ROOT-SERVERS.NET.
. 3600000 IN NS D.ROOT-SERVERS.NET.
. 3600000 IN NS E.ROOT-SERVERS.NET.
. 3600000 IN NS F.ROOT-SERVERS.NET.
. 3600000 IN NS G.ROOT-SERVERS.NET.
. 3600000 IN NS H.ROOT-SERVERS.NET.
. 3600000 IN NS I.ROOT-SERVERS.NET.
;; Query time: 44 msec
;; SERVER: 2604:a880:400:d0::1699:d001#53(2604:a880:400:d0::1699:d001)
;; WHEN: Sun Feb 10 12:45:01 UTC 2019
;; MSG SIZE rcvd: 251
Responses to lowercase queries are apparently correct.
2 Likes
That's interesting.
I've checked my code manual. The result:
The nameserver sends one byte back (0x0). If I read again, I get the rest.
There are other nameservers who send two bytes (this is the size of the following UDP-response), then reading again, then follows the rest.
So now the tool sees TCP-support.
Perhaps unboundtest (and Letsencrypt with the same settings)
https://unboundtest.com/m/A/itolymp.com/RYSPPHM5
gets the same: One byte -> SERVFAIL.
https://unboundtest.com/m/A/itolymp.com/RYSPPHM5
Query results for A itolymp.com
Response:
But I don't see a single SERVFAIL in the answer.
2 Likes
system
March 12, 2019, 3:41pm
5
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
