[Solved] CAA SERVFAIL only with 8.8.8.8

vinzenz.uhr · October 31, 2017, 8:31pm

Hi Guys

When I try to run letsencrypt I get these errors:
(The URL is always ggw1805.ch. I had to remove the “.” before the toplevel domain, because it automatically created a link. And new users cant use more than 20 links.)

Summary

Failed authorization procedure. www.ggw1805ch (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for www.ggw1805ch, ggw1805ch (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for ggw1805ch

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.ggw1805ch
Type: connection
Detail: DNS problem: SERVFAIL looking up CAA for www.ggw1805ch

Domain: ggw1805ch
Type: connection
Detail: DNS problem: SERVFAIL looking up CAA for ggw1805ch

I know there exists already other topics with the same error, but there they get always a SERVFAIL status.
But I only get a SERVFAIL status with the dns 8.8.8.8.

When I run “dig +short NS ggw1805ch” I get these nameservers as answer:

Summary

ns1.genotec.ch.
ns3.genotec.ch.
ns4.genotec.ch.
ns2.genotec.ch.

Then I checked the CAA record with “dig ggw1805ch @ns1.genotec.ch. CAA”.
I get a NOERROR status:

Summary

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ggw1805ch @ns1.genotec.ch. CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54744
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ggw1805ch. IN CAA

;; ANSWER SECTION:
ggw1805ch. 310 IN CNAME uhr-it.ch.ggw1805ch.
uhr-it.ch.ggw1805ch. 310 IN CNAME uhr-it.ch.ggw1805ch.

;; Query time: 21 msec
;; SERVER: 82.195.224.5#53(82.195.224.5)
;; WHEN: Tue Oct 31 21:21:43 CET 2017
;; MSG SIZE rcvd: 77

But when i check with the google dns 8.8.8.8 I get the error.
“dig ggw1805ch @8.8.8.8 CAA”:

Summary

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ggw1805ch @8.8.8.8 CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40285
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ggw1805ch. IN CAA

;; Query time: 231 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Oct 31 21:23:25 CET 2017
;; MSG SIZE rcvd: 39

But what is different with the google dns?

Thank you so much for your help.
Best wishes
Vinzenz

sahsanu · October 31, 2017, 8:45pm

Hello @vinzenz.uhr,

Pay attention to answer section:

;; QUESTION SECTION:
;ggw1805.ch.                        IN      CAA

;; ANSWER SECTION:
ggw1805.ch.         310     IN      CNAME   uhr-it.ch.ggw1805.ch.
uhr-it.ch.ggw1805.ch.   310     IN      CNAME   uhr-it.ch.ggw1805.ch.

ggw1805.ch.points to uhr-it.ch.ggw1805.ch and uhr-it.ch.ggw1805.ch points to itself uhr-it.ch.ggw1805.ch so it is creating a beautiful loop, you should fix those CNAME.

Good luck,
sahsanu

vinzenz.uhr · October 31, 2017, 8:54pm

Hey sahsanu

That’s funny.
I never saw that.
I try to fix it and post the result.
Thx for the quick advice.

Cheers Vinzenz

vinzenz.uhr · October 31, 2017, 9:13pm

The loop was the problem.
It works fine now.

Thank you so much!

Greetings from switzerland
Vinz

system · November 30, 2017, 9:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.