Wildcard-records and dnssec

I’m in the process of migrating our old nameservers to new ones running powerdns (4.3.0), primarily in order to support DNSSEC for our customers. Everything seemed fine until I noticed that the certificate wasn’t working on one of the domains I use during testing.

I’ve been able to boil it down to sub-domains that are not created explicitly in the nameserver, but only has a wildcard A-record, and only domains where DNSSEC is active.

For example these A-records:

dev-site.dk 1.2.3.4
abc.dev-site.dk 1.2.3.4
*.dev-site.dk 1.2.3.4

I can get a certificate for dev-site.dk and abc.dev-site.dk. But for www.dev-site.dk or any.dev-site.dk it fails with:
DNS problem: query timed out looking up CAA for any.dev-site.dk

I see that powerdns has previously had issues connected to DNSSEC and CAA-records, but from the posts I’ve found these issues have all been resolved(?)

I’ve run out of ideas on how to troubleshoot / solve this. Please help :slight_smile:

My domain is:
dev-site.dk
abc.dev-site.dk < Exists explicitly in NS
www.dev-site.dk < Does not exist in NS, but a wildcard-subdomain points it to same server as dev-site.dk and abc.dev-site.dk

I ran this command:
certbot certonly -a webroot --non-interactive --agree-tos --manual-public-ip-logging-ok --email {actual@email.here} --expand -w /var/www/letsencrypt.tmp -d ‘www.dev-site.dk’

It produced this output:
An unexpected error occurred:
Certification Authority Authorization (CAA) records forbid the CA from issuing a certificate :: Error finalizing order :: While processing CAA for www.dev-site.dk: DNS problem: query timed out looking up CAA for www.dev-site.dk

My web server is (include version):
Apache 2.4.43

The operating system my web server runs on is (include version):
Centos 7

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
1.6.0-1.el7 (latest in centos repos)

2 Likes

Hi @Mikkel

is really dev-site.dk your site? If yes, your configuration is wrong - see https://check-your-website.server-daten.de/?q=dev-site.dk

X Fatal error: Nameserver doesn’t support TCP connection: ns4.dns-123.net / 35.198.132.83: Timeout
X Fatal error: Nameserver doesn’t support TCP connection: ns5.dns-123.net / 35.187.184.173: Timeout
X Fatal error: Nameserver doesn’t support TCP connection: ns6.dns-123.net / 35.228.54.1: Timeout

Authoritative name servers must support TCP, that’s a minimal requirement, see IANA:

https://www.iana.org/help/nameserver-requirements

Name server reachability

The name servers must answer DNS queries over both the UDP and TCP protocols on port 53.

Ok, it’s a limitation of my tool that DNSSEC requires TCP, so the DNSSEC is invalid. But the timeout of Letsencrypt is the same.

3 Likes

Wow… I feel kinda dumb now. There were several layers of firewall and one of them was blocking TCP.

Well, problem solved. Thank you :slight_smile:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.