[SOLVED] DNSSEC problem not sure what to do

My domain is: cataclysm games

I ran this command: sudo certbot renew --dry-run

It produced this output: dns problem: servfail looking for A for cataclysm.games

My web server is (include version): Ngnix

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: namecheap.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


It looks like a problem with DNSSEC however I am unsure how to fix it.

My registrar does not support DNSSEC: ‘Sorry, DNSSEC is not available on this domain because this particular TLD (domain extension) does not support DNSSEC at the registry level.’

https://letsdebug.net/cataclysm.games/7634

https://unboundtest.com/m/CAA/cataclysm.games/KQQIODRI

It's not actually a DNSSEC problem.

The domain's set to use two of Namecheap's nameservers:

cataclysm.games.        86400   IN      NS      dns1.registrar-servers.com.
cataclysm.games.        86400   IN      NS      dns2.registrar-servers.com.

DNSSEC is off.

The nameservers are actually returning a SERVFAIL -- short for "server failure" -- error code:

$ dig +norecurse cataclysm.games @dns1.registrar-servers.com

; <<>> DiG 9.13.3-3+ubuntu16.04.1+deb.sury.org+1-Ubuntu <<>> +norecurse cataclysm.games @dns1.registrar-servers.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4352
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cataclysm.games.               IN      A

;; Query time: 15 msec
;; SERVER: 2620:74:19::33#53(2620:74:19::33)
;; WHEN: Tue Nov 06 05:40:55 UTC 2018
;; MSG SIZE  rcvd: 44

Something's broken or misconfigured at Namecheap. You have to contact them to fix it.

That error message is false, by the way. The TLD supports DNSSEC. Namecheap just doesn't support it well.

3 Likes

Source: http://stats.research.icann.org/dns/tld_report/

1 Like

Thank you so much!

I contacted Namecheap and the problem was a CNAME record for my bare domain.

I removed the CNAME record and the response from dig was 'NOERROR'.

The only record I have at the DNS register now with Namecheap is an A record.

Running the auto renew command now passes.

Thanks Again!

Solved.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.