Two _acme-challenge dns records and letsencrypt failing with DNS problem: server failure at resolver looking up TXT for _acme-challenge

Are two (or more) _acme-challenge TXT records (where one is ok from letsencrypt point of view) for a domain considered invalid situation?

Had few domains where letsencrypt failed with:

“DNS problem: server failure at resolver looking up TXT for _acme-challenge…”

exactly because there were multiple _acme-challenge TXT records. Removing old _acme-challenge entries and leaving only recent one made letsencrypt pass dns validation.

IMO letsencrypt should check all _acme-challenge records and pass if one was valid.

Hi @arek,

This is not considered an invalid situation.

Hmm. This sounds like a problem with your authoritative DNS server. Can you share the domain name(s) that failed this way so I can check our logs? I suspect your server returned a SERVFAIL response instead of the TXT records.

This is the way Let's Encrypt validates DNS-01 challenges today. Boulder, the Let's Encrypt server side CA software, loops over each TXT record and considers the validation successful when one matches the expected value.

Hope this helps,

1 Like

If @arek had too much txt records, the answer received by the DNS Server could be above 512 bytes so Let's Encrypt saw that as a SERVFAIL error.

I've tested it with 6 TXT records for _acme-challenge.domain.tld and the response from my DNS server was above 512 bytes so Let's Encrypt returned this error:

The server could not connect to the client to verify the domain :: DNS problem: server failure at resolver looking up TXT for _acme-challenge.domain.tld

Having only 3 TXT records, Let's Encrypt validates it without any issue so I think the @arek's issue was the big answer sent by the DNS Server.

Cheers,
sahsanu

1 Like

That's certainly a possible explanation, thanks @sahsanu! If that's the case then the problem should be resolved on ~Thursday the 1st, after this week's Boulder deploy. @jsha addressed the 512 byte answer limitation in Boulder master.

1 Like

Check these:

| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.ftp.babilon-host2017.beep.pl"} | NULL | 2018-02-26 01:59:37 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.poczta.babilon-host2017.beep.pl"} | NULL | 2018-02-26 01:59:38 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.mysql01.babilon-host2017.beep.pl"} | NULL | 2018-02-26 01:59:39 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.pop3.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:04:34 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.ftp.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:04:36 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.poczta.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:04:38 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.mysql01.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:04:40 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.pop3.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:09:27 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.ftp.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:09:28 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.poczta.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:09:29 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.mysql01.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:09:30 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.pop3.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:12:35 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.ftp.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:12:36 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.poczta.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:12:37 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.mysql01.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:12:37 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.pop3.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:23:50 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.ftp.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:23:50 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.poczta.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:23:51 |
| {"type": "urn:acme:error:connection", "detail": "DNS problem: server failure at resolver looking up TXT for _acme-challenge.mysql01.babilon-host2017.beep.pl"} | NULL | 2018-02-26 02:23:52 |

1 Like

There were 2 (for some) and 3 txt records I think but not more. These were deleted already, so have to check logs.

Will unbound be updated, too? :slight_smile: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=3512

Hi @Arek,

This is an unrelated problem about CNAME loops and CAA queries.

Yes, unrelated (bug that I hit), just asking if update is planned at that time, too.

There are no plans underway to update Unbound.

Hm, there would be more since these 2-3 txt were old/stale records (that shouldn't be there but were) and our custom letsencrypt software would add another one for current verification, so it's possible that these queries hit 512 bytes limit mentioned earlier.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.