I’m in the process of migrating our old nameservers to new ones running powerdns (4.3.0), primarily in order to support DNSSEC for our customers. Everything seemed fine until I noticed that the certificate wasn’t working on one of the domains I use during testing.
I’ve been able to boil it down to sub-domains that are not created explicitly in the nameserver, but only has a wildcard A-record, and only domains where DNSSEC is active.
For example these A-records:
dev-site.dk 1.2.3.4
abc.dev-site.dk 1.2.3.4
*.dev-site.dk 1.2.3.4
I can get a certificate for dev-site.dk and abc.dev-site.dk. But for www.dev-site.dk or any.dev-site.dk it fails with:
DNS problem: query timed out looking up CAA for any.dev-site.dk
I see that powerdns has previously had issues connected to DNSSEC and CAA-records, but from the posts I’ve found these issues have all been resolved(?)
I’ve run out of ideas on how to troubleshoot / solve this. Please help
My domain is:
dev-site.dk
abc.dev-site.dk < Exists explicitly in NS
www.dev-site.dk < Does not exist in NS, but a wildcard-subdomain points it to same server as dev-site.dk and abc.dev-site.dk
I ran this command:
certbot certonly -a webroot --non-interactive --agree-tos --manual-public-ip-logging-ok --email {actual@email.here} --expand -w /var/www/letsencrypt.tmp -d ‘www.dev-site.dk’
It produced this output:
An unexpected error occurred:
Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: While processing CAA for www.dev-site.dk: DNS problem: query timed out looking up CAA for www.dev-site.dk
My web server is (include version):
Apache 2.4.43
The operating system my web server runs on is (include version):
Centos 7
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot):
1.6.0-1.el7 (latest in centos repos)