TXT validation not complete

We have some domains that are not validating (acme-challenge token TXT) to renew the certificate. Two examples of domains with this difficulty are:

ecoevo.com.br.
butantan.gov.br.

In Digwebinterface.com we can see the TXT entry applied properly. Using the dig command we had an answer:

butantan.gov.br. 1 IN TXT "ETPA"

and

dig + trace TXT + bufsize = 512 _acme-challenge.butantan.gov.br.

; << >> DiG 9.10.6 << >> + trace TXT + bufsize = 512 _acme-challenge.butantan.gov.br.
;; global options: + cmd
. 423484 IN NS i.root-servers.net.
. 423484 IN NS j.root-servers.net.
. 423484 IN NS k.root-servers.net.
. 423484 IN NS l.root-servers.net.
. 423484 IN NS m.root-servers.net.
. 423484 IN NS a.root-servers.net.
. 423484 IN NS b.root-servers.net.
. 423484 IN NS c.root-servers.net.
. 423484 IN NS d.root-servers.net.
. 423484 IN NS e.root-servers.net.
. 423484 IN NS f.root-servers.net.
. 423484 IN NS g.root-servers.net.
. 423484 IN NS h.root-servers.net.
;; Received 491 bytes from 127.0.0.1 # 53 (127.0.0.1) in 70 ms

br. 172800 IN NS a.dns.br.
br. 172800 IN NS b.dns.br.
br. 172800 IN NS c.dns.br.
br. 172800 IN NS d.dns.br.
br. 172800 IN NS e.dns.br.
br. 172800 IN NS f.dns.br.
br. 86400 IN DS 2471 13 2 5E4F35998B8F909557FA119C4CBFDCA2D660A26F069EF006B403758A 07D1A2E4
br. 86400 IN RRSIG DS 8 1 86400 20210511140000 20210428130000 14631. P7W8ndwq5sNQmly5TrH1Gdv9JmuxqivwUyMkpevHOdQTCc09F0mLe9nP G9yxS9Qu gcQvMc7fHyIPNdGHXHk1Z + + + // uBeJUPDJfhKQaJP3tTWOrWZyF wy8gO / E3UizUjSqq9JEFu1 / 4PpFGNrgpY6k / EEajHX4lA ++ // qbd1Ge H5sfj0O38xPec2hit oPHsT3g2NzdK3OR7tP9pg6Zomq479lUVzZZRb XlcgMEkny5y1BjO / GhSpptxH52S0L3RY6kHouw / uR2lw7TjVuK zEtA4 + + K + 6eoRB98qYLAcb73itdaHXqQH5U2h0UZnU4FAffAMn6AE wSR9FHK1u == gVVQRQ
;; Received 759 bytes from 199.9.14.201 # 53 (b.root-servers.net) in 167 ms

;; Connection to 2001: 12f8: 2 :: 10 # 53 (2001: 12f8: 2 :: 10) for _acme-challenge.butantan.gov.br. failed: unreachable host.
;; Connection to 2001: 12f8: a :: 10 # 53 (2001: 12f8: a :: 10) for _acme-challenge.butantan.gov.br. failed: unreachable host.
butantan.gov.br. 3600 IN NS ns3.butantan.gov.br.
butantan.gov.br. 3600 IN NS ns4.butantan.gov.br.
butantan.gov.br. 900 IN NSEC bvenergia.gov.br. NS RRSIG NSEC
butantan.gov.br. 900 IN RRSIG NSEC 13 3 900 20210506120511 20210422110511 30329 gov.br. PJRmgGefoVRT5 + KJ52rBDDdGdYLP / x + uLzVcfrY8gTRTGzk8rQzGVBNV zFu9qjGTjvQ + ZCuKBycTKaoXE3mNJA ==
;; Received 268 bytes from 200.192.233.10 # 53 (c.dns.br) in 29 ms

_acme-challenge.butantan.gov.br. 3600 IN TXT "FDjdNAQcmIiQ763W0PmBq-SFy8YWLiGigiyey7W49io"
;; Received 116 bytes from 200.136.54.4 # 53 (ns4.butantan.gov.br) in 9 ms

On the Letsdebug.net website, we had the following answer:

DNSLookupFailed
FATAL
A fatal issue occurred during the DNS lookup process for ecoevo.com.br/CAA.
DNS response for ecoevo.com.br/CAA did not have an acceptable response code: SERVFAIL
TXTRecordError
FATAL
An error occurred while attempting to lookup the TXT record on _acme-challenge.ecoevo.com.br. Any resolving errors that the Let's Encrypt CA encounters on this record will cause certificate issuance to fail.
DNS response for _acme-challenge.ecoevo.com.br/TXT did not have an acceptable response code: SERVFAIL

Your DNS seems to have a few errors:

https://dnsviz.net/d/_acme-challenge.butantan.gov.br/dnssec/

This might be a reason it's not working properly.

If I ask your nameservers directly, I'm getting the same FORMERR back:

osiris@erazer ~ $ dig @ns3.butantan.gov.br +bufsize=512 _acme-challenge.butantan.gov.br. TXT

; <<>> DiG 9.16.12 <<>> @ns3.butantan.gov.br +bufsize _acme-challenge.butantan.gov.br. TXT
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 10762
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; COOKIE: 2f69fa0c6a63ac84 (echoed)
;; QUESTION SECTION:
;_acme-challenge.butantan.gov.br. IN	TXT

;; Query time: 329 msec
;; SERVER: 200.136.54.3#53(200.136.54.3)
;; WHEN: Wed Apr 28 20:57:07 CEST 2021
;; MSG SIZE  rcvd: 72

osiris@erazer ~ $ 
1 Like

Ok, where must we fix? In my NS addresses?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.