I’m writing a forum post which I might try to pin, asking people to share their domain names when asking for help, because it’s so helpful for debugging.
I’m also going to give steps that people should take themselves if they can’t share their domain names. One of these is to use a DNS checker to debug potential DNS and DNSSEC problems. There are, of course, dozens of tools like this out there. Can anyone suggest particular checkers that you’ve found especially helpful in terms of producing clear, useful output, and correctly diagnosing DNS and DNSSEC problems that are likely to cause trouble with Let’s Encrypt issuance?
This is an interesting question. Dig seems to be the de facto standard, and has good support for CAA records unlike nslookup. It’s also built into most Linux distros that I’m aware of, but is not on on Windows. Its output is also somewhat intimidating, but provides all info necessary. I don’t think nslookup will work, despite being simpler to use and on Windows and Linux boxes by default, because of the lack of CAA support.
For Windows, I really don’t know of a simple option that includes CAA records.
I’m going to look into Python DNS resolver packages. I think providing a script (bundled with includes if necessary) that can give Let’s Encrypt oriented output (check IPv4 vs IPv6, check CAA, check DNSSEC, even maybe have options to check for the existence/accessiblility of authz responses in DNS TXT records and webroot directories.) I’d be happy to write something up - probably this weekend or early next week when things calm down a bit for me - and see what you think.
Sorry, I was imagining recommending a web site or web sites that implement a complete DNS checker service.
I agree that using local software tools is a more complete solution, but you’ve probably seen that people on the forum have an extremely wide range of levels of technical experience, in addition to using many different operating systems. (We’ve even had a few people who didn’t know what their server OS was.) So, I was hoping for web sites where people could get relatively clear answers like “Your DNSSEC records are valid” or “Your DNSSEC records are invalid”, or “You’re missing an A record for that name”.
Ahhh, gotcha. A quick 10-minute search doesn’t return anything promising. Most don’t support CAA, and even ones that are explicitly for checking CAA records fail to distinguish between NOERROR and SERVFAIL responses.
I don’t yet have the bandwidth to reliably host something myself (my servers are temporarily running out of my home for now until I can get them moved back into a datacenter - my last one jacked up prices. ) but I’ll try and write my own web-based one instead of making it a Python script to distribute that someone could put…somewhere.
I’m gonna be honest, that’s not a simple view that would help anyone Schoen’s targeting with this idea. In fact, it took me a while to even find the hidden option to make it query CAA. When I select this option, I still don’t see CAA responses in the result.
I noticed that @jsha happened to announce his tester right at the same time that I was asking this question. Unfortunately, I don’t believe that that tester provides a clear and concise enough summary for very inexperienced users to use it as their first-pass diagnostic tool. The cases that that tester will find are rather subtle and the process of interpreting them is also rather subtle. Since I’m really thinking of advocating using testing tools as a first pass before posting on the forum at all, I think what I would suggest would be a tool that does a lot more interpretation on the user’s behalf.
I think the target audience for @jsha’s tool is relatively sophisticated network administrators who have a good general understanding of DNS (like some of the people on the recent CAA threads!).
I am writing a pre-flights python script that will check a domain and make suggestions for the user based on a domain discovery. (you shared common issue with mean a few months back)
The idea would be that users can run the script and it will have an obfuscate function as well so they can share the output and everyone can standardize troubleshooting
Unfortunately if users aren’t technical enough to understand how DNS works then my feeling is that most of the tools mentioned would be of limited use (in my humble opinion) as they tend to spit out technical results.
FWIW, I've been meaning to set up this tool for the use of beginner users debugging "it works for me"-style DNS errors, but since the problem that finally spurred me to do it was being debugged by relatively sophisticated admins, that's who I wound up having in mind when I wrote the verbiage. I would definitely welcome a pull request to make the tool more broadly understandable!
IMHO, the only DNS checker that’s going to make sense for Let’s Encrypt is going to be one that’s maintained by Let’s Encrypt, or by someone who is in close consultation with Let’s Encrypt and able to change in sync with changes Let’s Encrypt makes. Subtle nuances in how Let’s Encrypt handles DNS lookups can clearly have outsized impacts on the results; expecting a third-party checker that doesn’t take into account Let’s Encrypt’s specific circumstances to provide reliable results in the long term seems doomed to failure to me.
For example, let’s look at how CAA has been rolled out. Up to a week ago, CAA SERVFAILs were no big thing – they were ignored. If a DNS checker said “WHOOP! WHOOP! Your CAA records are failing!”, that would have confused people because their certificates were being issued Just Fine. So a Let’s Encrypt-“compatible” DNS checker should have been, at most, mildly dissuading of a CAA SERVFAIL. Then, a week ago, the situation changed, and the reverse is now true – a Let’s Encrypt-“compatible” DNS checker should have been waving the red flag about the same situation. Unless this Let’s Encrypt-“compatible” DNS checker was aware of (and cared enough about) these changes in Let’s Encrypt, they wouldn’t have made the appropriate change at the appropriate moment, and they’d be giving bad advice. This is why I say that any Let’s Encrypt-recommended DNS checker really needs to be built and maintained in very close collaboration with the Let’s Encrypt engineering team, preferably with heads-up of any changes which could conceivably have an impact on DNS.
I’m not sure that a motivated third-party with an inside line on upcoming changes is even enough, though. Take this PowerDNS bug that’s causing a bit of heartburn – it only appears because LE is using a fairly obscure security-oriented configuration option (so-called “0x20 bit”). I’m sure there are a bunch of other things that Let’s Encrypt are doing behind the scenes, for all manner of very good reasons, that nobody outside knows about, and I’d say it’s unlikely that a third-party DNS checker is going to get all of the knobs in exactly the right places without being told exactly how Let’s Encrypt does DNS checking – a level of detail which I doubt is achievable by anything other than access to the infrastructure, or at least the complete configuration management system data to build it. Maybe a third-party could be trusted with all that, but I don’t think there’s too many people who are both (a) sufficiently trustworthy to be given that level of access, and (b) have enough spare time to be able to reverse-engineer the Let’s Encrypt resolution environment and build and maintain such a system – and I can’t imagine such a service gaining enough revenue or donations to be able to pay someone to do all that.
Thus, at the end of the day, I think that if Let’s Encrypt wants a DNS checker that’s anything more than either “one of these seven services might give you a hint” or “this thing over here works sometimes, but gives false (positives|negatives) in this list of cases”, Let’s Encrypt is going to have to build it – or at least fund it (which amounts to essentially the same thing).
Thanks for that analysis, @mpalmer. I think you’re probably right.
I would still love to have something to suggest as an interim measure because, especially for DNSSEC, I have definitely seen third-party testers resolve a significant number of people’s problems. But I’ll have to recognize that it’s kind of a stop-gap.
Since @jsha’s new site uses the same resolver codebase as Let’s Encrypt, I think it would be an clear choice as a future basis for a tool that does more analysis for people.
Yes, @jsha’s tool is definitely the sort of thing that’s a step in the right direction. It’s not at that “point everyone at it, support requests drop by 50%” stage (yet?), but insofar as it gives more “right” answers than anything else is likely to, it’s very valuable to that subset of the community that’s able to interpret the results.
Whoops! Should have been more specific. I know it exists for Windows, but appeared that you needed to install Bind. Am I to interpret that it’s included in the download without install? Or at worst, after a simple install (no Cygwin or anything.) Never tried putting Bind on Windows.
That was an argument I made earlier on. Almost every DNS tool is fairly technical in nature so it’s hard to make it user friendly without educating the user first.
I don’t believe that you will ever see a 50% reduction in people writing help posts. i have seen cases where 3 people wrote the about the same problem one after the other.
CAA records are now more important as CAs will be required to check them from September 2017. As they were optional in the past I think its more a matter of DNS server writers ironing out the kinks. This is no different when IPV6 first started appearing and network vendors had to patch code.
I think it happens that CAs will feel the majority of the brunt as they are the main consumers of this record type.
Single click to secure your website using best practices
Create custom templates that can be saved and run on multiple servers
Stop DROWN, logjam, FREAK, POODLE and BEAST attacks
Disable weak protocols and ciphers such as SSL 2.0, 3.0 and MD5
Enable TLS 1.1 and 1.2
Enable forward secrecy
Reorder cipher suites
Built in Best Practices, PCI, PCI 3.1 and FIPS 140-2 templates
Site scanner to test your configuration
Command line version
Finally, to answer you specifically regarding DNS .
You are correct… it can be fetched from the portable binary zipped x86 or x64 release.
All the small utilities are there, which can come in handy for when working on Windows (this horrible laptop from work) :
dig, mdig, arpaname, delv, the dnssec- & nsec-utilities etc.
Next to these binaries there’s actually also a setup of the BIND-server itself included, but I always assumed up til now, that was more like an inside joke. Right ? Yeh has to be
) but I’ll try and write my own web-based one instead of making it a Python script to distribute that someone could put…somewhere.
