Wildcard-records and dnssec

Help
1

I’m in the process of migrating our old nameservers to new ones running powerdns (4.3.0), primarily in order to support DNSSEC for our customers. Everything seemed fine until I noticed that the certificate wasn’t working on one of the domains I use during testing.

I’ve been able to boil it down to sub-domains that are not created explicitly in the nameserver, but only has a wildcard A-record, and only domains where DNSSEC is active.

For example these A-records:

dev-site.dk 1.2.3.4
abc.dev-site.dk 1.2.3.4
*.dev-site.dk 1.2.3.4

I can get a certificate for dev-site.dk and abc.dev-site.dk. But for www.dev-site.dk or any.dev-site.dk it fails with:
DNS problem: query timed out looking up CAA for any.dev-site.dk

I see that powerdns has previously had issues connected to DNSSEC and CAA-records, but from the posts I’ve found these issues have all been resolved(?)

I’ve run out of ideas on how to troubleshoot / solve this. Please help :slight_smile:

My domain is:
dev-site.dk
abc.dev-site.dk < Exists explicitly in NS
www.dev-site.dk < Does not exist in NS, but a wildcard-subdomain points it to same server as dev-site.dk and abc.dev-site.dk

I ran this command:
certbot certonly -a webroot --non-interactive --agree-tos --manual-public-ip-logging-ok --email {actual@email.here} --expand -w /var/www/letsencrypt.tmp -d ‘www.dev-site.dk’

It produced this output:
An unexpected error occurred:
Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: While processing CAA for www.dev-site.dk: DNS problem: query timed out looking up CAA for www.dev-site.dk

My web server is (include version):
Apache 2.4.43

The operating system my web server runs on is (include version):
Centos 7

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
1.6.0-1.el7 (latest in centos repos)

1 Like
2

Hi @Mikkel

is really dev-site.dk your site? If yes, your configuration is wrong - see https://check-your-website.server-daten.de/?q=dev-site.dk

X Fatal error: Nameserver doesn't support TCP connection: ns4.dns-123.net / 35.198.132.83: Timeout
X Fatal error: Nameserver doesn't support TCP connection: ns5.dns-123.net / 35.187.184.173: Timeout
X Fatal error: Nameserver doesn't support TCP connection: ns6.dns-123.net / 35.228.54.1: Timeout

Authoritative name servers must support TCP, that's a minimal requirement, see IANA:

https://www.iana.org/help/nameserver-requirements

Name server reachability

The name servers must answer DNS queries over both the UDP and TCP protocols on port 53.

Ok, it's a limitation of my tool that DNSSEC requires TCP, so the DNSSEC is invalid. But the timeout of Letsencrypt is the same.

2 Likes
3

Wow… I feel kinda dumb now. There were several layers of firewall and one of them was blocking TCP.

Well, problem solved. Thank you :slight_smile:

2 Likes
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.