Hi there,
I’m a webadmin and I’m setting up LE for ldap.nics.cc and ldap.nics.info, while the resolve error was reported.
But I’ve tested on many VPSes I own, and all of them can correctly resolve my domain name. Here is dig +trace ldap.nics.info on my DigitalOcean VPS.
dig +trace @8.8.8.8 ldap.nics.info
; <<>> DiG 9.9.5-9-Debian <<>> +trace ldap.nics.info
;; global options: +cmd
. 2132 IN NS a.root-servers.net.
. 2132 IN NS b.root-servers.net.
. 2132 IN NS c.root-servers.net.
. 2132 IN NS d.root-servers.net.
. 2132 IN NS e.root-servers.net.
. 2132 IN NS f.root-servers.net.
. 2132 IN NS g.root-servers.net.
. 2132 IN NS h.root-servers.net.
. 2132 IN NS i.root-servers.net.
. 2132 IN NS j.root-servers.net.
. 2132 IN NS k.root-servers.net.
. 2132 IN NS l.root-servers.net.
. 2132 IN NS m.root-servers.net.
. 2132 IN RRSIG NS 8 0 518400 20160124050000 20160114040000 54549 . oH/N1V3Piz2L8pWVYTimnmO1ZHjjLWYSYiuJ634H4KRlKYNltwN3XMPM YpHEb/Y6+lIXtf9MDy+JjBbhKG327TAQY8HOTBqfVQqW0qIazU6emHsZ oWkkhrZI/hUaQpRMuHTQyptzXFca7PFIKIKeU83nDflRirEoHnCrM54V Qfk=
;; Received 397 bytes from 8.8.8.8#53(8.8.8.8) in 178 ms
info. 172800 IN NS a0.info.afilias-nst.info.
info. 172800 IN NS a2.info.afilias-nst.info.
info. 172800 IN NS b0.info.afilias-nst.org.
info. 172800 IN NS b2.info.afilias-nst.org.
info. 172800 IN NS c0.info.afilias-nst.info.
info. 172800 IN NS d0.info.afilias-nst.org.
info. 86400 IN DS 8674 7 1 197789A2CBABA6FECD0B5AC88C5BC414CE1FC309
info. 86400 IN DS 8674 7 2 EC9B6082B96B5F87143696F2B483ACC9B2C433DCE0C94E70F1FF5648 CA18008B
info. 86400 IN RRSIG DS 8 1 86400 20160124050000 20160114040000 54549 . fvCc3tF5mYQkwEq1euaoBCD1udu7LpFH3kYNXOiH0bW5rOefkraQbk6T 4wuGq20ZjZuP0WIezqU6TWDn2DrrRjToyftv0UAYSulG7CmlVOm67Vqu QMe0oZ092WKPoIxwa/5ojhcyuOzrdQFFd0kbor1ZTo5AKagm/lmHGx7K Nw0=
;; Received 689 bytes from 198.97.190.53#53(h.root-servers.net) in 276 ms
nics.info. 86400 IN NS ns1.nics.info.
nics.info. 86400 IN NS ns2.nics.info.
adnsd9nk7nk82he8h21rj0jjhj11o5gb.info. 3600 IN NSEC3 1 1 1 D399EAAB ADNVJ7V4T1Q89TEPTM1SIRDFOEN7MNP8 NS SOA RRSIG DNSKEY NSEC3PARAM
adnsd9nk7nk82he8h21rj0jjhj11o5gb.info. 3600 IN RRSIG NSEC3 7 2 3600 20160204155021 20160114145021 41439 info. MDgt32hmdXpUH+SqaFRXSv+UNLkfsm3ZNu6KHo+vv34vWvo7jncLig1A Wib2+Dr1GIj1KdgTEtuFYKOSvQvjNsBQrDAewtC1b8k0te+TOplW34t3 +q/4M+BGg79t+0UXBLHd6TgFg5K+VHODL7qVq5WpVOCZQ7HDNoBPe9CU uwQ=
br84005dg5194uhfvl7asrk110sult7j.info. 3600 IN NSEC3 1 1 1 D399EAAB BR8F6QTR7VE56SSLCLRCFKFJ2CJ3KHNK A RRSIG
br84005dg5194uhfvl7asrk110sult7j.info. 3600 IN RRSIG NSEC3 7 2 3600 20160130150916 20160109140916 41439 info. K9qiJfUKfKbzyOIATvCEZAgIquTOV1GFWyggXQJB++S8s10jB5FYq3xB h4UWLoiK5CmYz9zKbvhoHR+Ssx4CN0gVB3aFegHR3Riqv1GcpOM10raV zIzVtmcPi9edO7yuK0mAx7MTagVuJ2h/DxK4fnhcy7neC/aaS3WINvv4 rTM=
;; Received 606 bytes from 2001:500:1b::1#53(c0.info.afilias-nst.info) in 827 ms
ldap.nics.info. 60 IN A 166.111.64.119
;; Received 59 bytes from 166.111.64.120#53(ns2.nics.info) in 198 ms
I wonder which DNS resolver LE uses, or is there any magic LE server uses to dig domain names?
jsha
February 24, 2016, 7:57pm
2
LE uses a local instance of unbound to resolve domain names. Not sure why you’re getting this error. I assume it reproduces reliably?
I did set up an unbound server and everything works reliably, I could never got resolving error.
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: processQueryTargets: nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: new target c5.nstld.com. AAAA IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: sending query: nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: sending to target: <cc.> 192.54.112.34#53
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: cache memory msg=75972 rrset=97064 infra=20747 val=71915
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: iterator operate: query c5.nstld.com. AAAA IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: response for c5.nstld.com. AAAA IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: reply from <nstld.com.> 2001:500:126::30#53
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: query response was nodata ANSWER
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: finishing processing for c5.nstld.com. AAAA IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: validator[module 0] operate: extstate:module_state_initial event:module_event_moddone
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: validator operate: query c5.nstld.com. AAAA IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_pass
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: iterator operate: query nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: processQueryTargets: nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: cache memory msg=76210 rrset=97064 infra=20747 val=71915
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: iterator operate: query nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: response for nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: reply from <cc.> 192.54.112.34#53
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: query response was nodata ANSWER
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: finishing processing for nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: validator operate: query nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: NSEC3s for the referral proved no DS.
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: validator[module 0] operate: extstate:module_wait_subquery event:module_event_pass
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: validator operate: query ldap.nics.cc. A IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: Verified that unsigned response is INSECURE
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: cache memory msg=76491 rrset=97519 infra=20747 val=72092
Can I get an errorr message from LE such as validation failure or anything else?
TCM
February 25, 2016, 4:01am
4
Your DNS setup has warnings: http://dnsviz.net/d/ldap.nics.info/dnssec/
I don’t know how picky Unbound is but you might want to fix those and try again.
Edit Looks fixed now.
I’ve fixed the warnings yesterday, http://dnsviz.net/d/ldap.nics.info/dnssec/
But LE still can’t lookup my domain name. I need an error message to help me debug this.
My issue is solved. It is due to my wrong implementation of DNS authoritative server.
Hi there,
I'm a webadmin and I'm setting up LE for ldap.nics.cc, while the resolve error was reported.
However, this domian name is...
TCM
February 26, 2016, 1:40pm
7
That would have been an important tidbit of information. Why do you run a completely homebrew implementation?
I use PowerDNS pipe backend to implement query logic, so that I can store DNS records in the way I like (in redis in my case).
Hi, I’m experiencing the same error with Let’s Encrypt and I’m also using PowerDNS (with MySQL backend). What change in PowerDNS solved the issue?
Let’s Encrypt uses mixed-case domain names at querying, while my backend only supports lowercased names.
you can try looking at the log of pdns.
1 Like