Strange DNS behavior


#1

So, Im creating cert for mail server. DNS AAAA record is valid. Tested it on many random servers from https://public-dns.info.

And debug environment show no error:

root@mail:/etc/nginx/templates# certbot certonly --staging --agree-tos --email admin@enhim.ru --webroot -w /var/lib/letsencrypt/ -d mail.enhim.ru
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mail.enhim.ru.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.enhim.ru
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mail.enhim.ru/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mail.enhim.ru/privkey.pem
   Your cert will expire on 2019-02-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

But production run says, that my DNS record are wrong…
The server could not resolve a domain name :: No valid IP addresses found for mail.enhim.ru

Unfortunate, screen buffer of Putty lose answer from server, and now it says, that Im was to many attempts and ban me for some time.
There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently


#2

You may already have the cert you need.
Try showing:
certbot certificates
However, mail.enhim.ru does not resolve to any IP (not IPV4 nor IPv6) from some locations:
https://letsdebug.net/mail.enhim.ru/8305
http://dnsviz.net/d/mail.enhim.ru/dnssec/

nslookup -q=ns enhim.ru
enhim.ru nameserver = ns2.bashrtcomm.ru
enhim.ru nameserver = ns.bashrtcomm.ru
ns2.bashrtcomm.ru internet address = 195.20.197.2
ns.bashrtcomm.ru internet address = 195.20.196.66

nslookup mail.enhim.ru 195.20.197.2
Server: ns2.bashrtcomm.ru
Address: 195.20.197.2
*** ns2.bashrtcomm.ru can’t find mail.enhim.ru: Non-existent domain

nslookup mail.enhim.ru 195.20.196.66
Server: ns.bashrtcomm.ru
Address: 195.20.196.66
Name: mail.enhim.ru
Address: 92.50.162.170


#3

The domain has two nameservers:

enhim.ru.  86221  NS  ns.bashrtcomm.ru.
enhim.ru.  86221  NS  ns2.bashrtcomm.ru.

The first one thinks mail.enhim.ru exists and the second one thinks it doesn’t exist.

Their SOA records have different serial numbers – 2018111601 and 2018111605.

Additionally, both of their IPv6 addresses don’t seem to respond.


#4

Thnx, provider mistakes, but im was sure, that configs on all dns a same “by-design”.