[SOLVED] Server failure at resolver during A-record lookup of ldap.nics.info


#1

Hi there,

I’m a webadmin and I’m setting up LE for ldap.nics.cc and ldap.nics.info, while the resolve error was reported.

But I’ve tested on many VPSes I own, and all of them can correctly resolve my domain name. Here is dig +trace ldap.nics.info on my DigitalOcean VPS.

dig +trace  @8.8.8.8 ldap.nics.info

; <<>> DiG 9.9.5-9-Debian <<>> +trace ldap.nics.info
;; global options: +cmd
.            2132    IN    NS    a.root-servers.net.
.            2132    IN    NS    b.root-servers.net.
.            2132    IN    NS    c.root-servers.net.
.            2132    IN    NS    d.root-servers.net.
.            2132    IN    NS    e.root-servers.net.
.            2132    IN    NS    f.root-servers.net.
.            2132    IN    NS    g.root-servers.net.
.            2132    IN    NS    h.root-servers.net.
.            2132    IN    NS    i.root-servers.net.
.            2132    IN    NS    j.root-servers.net.
.            2132    IN    NS    k.root-servers.net.
.            2132    IN    NS    l.root-servers.net.
.            2132    IN    NS    m.root-servers.net.
.            2132    IN    RRSIG    NS 8 0 518400 20160124050000 20160114040000 54549 . oH/N1V3Piz2L8pWVYTimnmO1ZHjjLWYSYiuJ634H4KRlKYNltwN3XMPM YpHEb/Y6+lIXtf9MDy+JjBbhKG327TAQY8HOTBqfVQqW0qIazU6emHsZ oWkkhrZI/hUaQpRMuHTQyptzXFca7PFIKIKeU83nDflRirEoHnCrM54V Qfk=
;; Received 397 bytes from 8.8.8.8#53(8.8.8.8) in 178 ms

info.            172800    IN    NS    a0.info.afilias-nst.info.
info.            172800    IN    NS    a2.info.afilias-nst.info.
info.            172800    IN    NS    b0.info.afilias-nst.org.
info.            172800    IN    NS    b2.info.afilias-nst.org.
info.            172800    IN    NS    c0.info.afilias-nst.info.
info.            172800    IN    NS    d0.info.afilias-nst.org.
info.            86400    IN    DS    8674 7 1 197789A2CBABA6FECD0B5AC88C5BC414CE1FC309
info.            86400    IN    DS    8674 7 2 EC9B6082B96B5F87143696F2B483ACC9B2C433DCE0C94E70F1FF5648 CA18008B
info.            86400    IN    RRSIG    DS 8 1 86400 20160124050000 20160114040000 54549 . fvCc3tF5mYQkwEq1euaoBCD1udu7LpFH3kYNXOiH0bW5rOefkraQbk6T 4wuGq20ZjZuP0WIezqU6TWDn2DrrRjToyftv0UAYSulG7CmlVOm67Vqu QMe0oZ092WKPoIxwa/5ojhcyuOzrdQFFd0kbor1ZTo5AKagm/lmHGx7K Nw0=
;; Received 689 bytes from 198.97.190.53#53(h.root-servers.net) in 276 ms

nics.info.        86400    IN    NS    ns1.nics.info.
nics.info.        86400    IN    NS    ns2.nics.info.
adnsd9nk7nk82he8h21rj0jjhj11o5gb.info. 3600 IN NSEC3 1 1 1 D399EAAB ADNVJ7V4T1Q89TEPTM1SIRDFOEN7MNP8 NS SOA RRSIG DNSKEY NSEC3PARAM
adnsd9nk7nk82he8h21rj0jjhj11o5gb.info. 3600 IN RRSIG NSEC3 7 2 3600 20160204155021 20160114145021 41439 info. MDgt32hmdXpUH+SqaFRXSv+UNLkfsm3ZNu6KHo+vv34vWvo7jncLig1A Wib2+Dr1GIj1KdgTEtuFYKOSvQvjNsBQrDAewtC1b8k0te+TOplW34t3 +q/4M+BGg79t+0UXBLHd6TgFg5K+VHODL7qVq5WpVOCZQ7HDNoBPe9CU uwQ=
br84005dg5194uhfvl7asrk110sult7j.info. 3600 IN NSEC3 1 1 1 D399EAAB BR8F6QTR7VE56SSLCLRCFKFJ2CJ3KHNK A RRSIG
br84005dg5194uhfvl7asrk110sult7j.info. 3600 IN RRSIG NSEC3 7 2 3600 20160130150916 20160109140916 41439 info. K9qiJfUKfKbzyOIATvCEZAgIquTOV1GFWyggXQJB++S8s10jB5FYq3xB h4UWLoiK5CmYz9zKbvhoHR+Ssx4CN0gVB3aFegHR3Riqv1GcpOM10raV zIzVtmcPi9edO7yuK0mAx7MTagVuJ2h/DxK4fnhcy7neC/aaS3WINvv4 rTM=
;; Received 606 bytes from 2001:500:1b::1#53(c0.info.afilias-nst.info) in 827 ms

ldap.nics.info.        60    IN    A    166.111.64.119
;; Received 59 bytes from 166.111.64.120#53(ns2.nics.info) in 198 ms

I wonder which DNS resolver LE uses, or is there any magic LE server uses to dig domain names?


#2

LE uses a local instance of unbound to resolve domain names. Not sure why you’re getting this error. I assume it reproduces reliably?


#3

I did set up an unbound server and everything works reliably, I could never got resolving error.

Feb 24 19:56:41 BigEagle unbound: [21560:0] info: processQueryTargets: nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: new target c5.nstld.com. AAAA IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: sending query: nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: sending to target: <cc.> 192.54.112.34#53
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: cache memory msg=75972 rrset=97064 infra=20747 val=71915
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: iterator operate: query c5.nstld.com. AAAA IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: response for c5.nstld.com. AAAA IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: reply from <nstld.com.> 2001:500:126::30#53
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: query response was nodata ANSWER
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: finishing processing for c5.nstld.com. AAAA IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: validator[module 0] operate: extstate:module_state_initial event:module_event_moddone
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: validator operate: query c5.nstld.com. AAAA IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_pass
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: iterator operate: query nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: processQueryTargets: nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: cache memory msg=76210 rrset=97064 infra=20747 val=71915
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: iterator operate: query nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: response for nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: reply from <cc.> 192.54.112.34#53
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: query response was nodata ANSWER
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: finishing processing for nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: validator operate: query nics.cc. DS IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: NSEC3s for the referral proved no DS.
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: validator[module 0] operate: extstate:module_wait_subquery event:module_event_pass
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: validator operate: query ldap.nics.cc. A IN
Feb 24 19:56:41 BigEagle unbound: [21560:0] info: Verified that unsigned response is INSECURE
Feb 24 19:56:41 BigEagle unbound: [21560:0] debug: cache memory msg=76491 rrset=97519 infra=20747 val=72092

Can I get an errorr message from LE such as validation failure or anything else?


#4

Your DNS setup has warnings: http://dnsviz.net/d/ldap.nics.info/dnssec/

I don’t know how picky Unbound is but you might want to fix those and try again.

Edit Looks fixed now.


#5

I’ve fixed the warnings yesterday, http://dnsviz.net/d/ldap.nics.info/dnssec/

But LE still can’t lookup my domain name. I need an error message to help me debug this.


#6

My issue is solved. It is due to my wrong implementation of DNS authoritative server.


#7

That would have been an important tidbit of information. Why do you run a completely homebrew implementation?


#8

I use PowerDNS pipe backend to implement query logic, so that I can store DNS records in the way I like (in redis in my case).


#9

Hi, I’m experiencing the same error with Let’s Encrypt and I’m also using PowerDNS (with MySQL backend). What change in PowerDNS solved the issue?


#10

Let’s Encrypt uses mixed-case domain names at querying, while my backend only supports lowercased names.
I changed the code of my backend to convert all lettercases to lowercase, problem solved.

you can try looking at the log of pdns.