Yet another CAA SERVFAIL issue

majherek · January 23, 2019, 10:28am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
majchrowski.waw.pl, majchrowska.waw.pl, majherek.pl, infomat.waw.pl

I ran this command:
sudo certbot certonly --renew-by-default --apache --cert-name mail.majchrowski.waw.pl --rsa-key-size 4096 -d mail.majchrowski.waw.pl -d www.majchrowski.waw.pl -d smtp.majchrowski.waw.pl -d imap.majchrowski.waw.pl -d ftp.majchrowski.waw.pl -d pop3.majchrowski.waw.pl -d kwitnaca.majchrowski.waw.pl -d k.majchrowski.waw.pl -d mail.majchrowska.waw.pl -d www.majchrowska.waw.pl -d smtp.majchrowska.waw.pl -d imap.majchrowska.waw.pl -d ftp.majchrowska.waw.pl -d pop3.majchrowska.waw.pl -d kwitnaca.majchrowska.waw.pl -d k.majchrowska.waw.pl -d www.majherek.pl -d www.infomat.waw.pl -d nextcloud.majchrowski.waw.pl --agree-tos

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ftp.majchrowska.waw.pl
http-01 challenge for ftp.majchrowski.waw.pl
http-01 challenge for imap.majchrowska.waw.pl
http-01 challenge for imap.majchrowski.waw.pl
http-01 challenge for k.majchrowska.waw.pl
http-01 challenge for k.majchrowski.waw.pl
http-01 challenge for kwitnaca.majchrowska.waw.pl
http-01 challenge for kwitnaca.majchrowski.waw.pl
http-01 challenge for mail.majchrowska.waw.pl
http-01 challenge for mail.majchrowski.waw.pl
http-01 challenge for nextcloud.majchrowski.waw.pl
http-01 challenge for pop3.majchrowska.waw.pl
http-01 challenge for pop3.majchrowski.waw.pl
http-01 challenge for smtp.majchrowska.waw.pl
http-01 challenge for smtp.majchrowski.waw.pl
http-01 challenge for www.infomat.waw.pl
http-01 challenge for www.majchrowska.waw.pl
http-01 challenge for www.majchrowski.waw.pl
http-01 challenge for www.majherek.pl
Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
Error finalizing order :: Rechecking CAA: While processing CAA for kwitnaca.majchrowska.waw.pl: DNS problem: SERVFAIL looking up CAA for majchrowska.waw.pl, While processing CAA for www.infomat.waw.pl: DNS problem: SERVFAIL looking up CAA for infomat.waw.pl, While processing CAA for k.majchrowska.waw.pl: DNS problem: SERVFAIL looking up CAA for majchrowska.waw.pl, While processing CAA for pop3.majchrowska.waw.pl: DNS problem: SERVFAIL looking up CAA for majchrowska.waw.pl, While processing CAA for imap.majchrowska.waw.pl: DNS problem: SERVFAIL looking up CAA for imap.majchrowska.waw.pl, While processing CAA for imap.majchrowski.waw.pl: DNS problem: SERVFAIL looking up CAA for imap.majchrowski.waw.pl, While processing CAA for smtp.majchrowski.waw.pl: DNS problem: SERVFAIL looking up CAA for smtp.majchrowski.waw.pl, While processing CAA for k.majchrowski.waw.pl: DNS problem: SERVFAIL looking up CAA for k.majchrowski.waw.pl, While processing CAA for kwitnaca.majchrowski.waw.pl: DNS problem: SERVFAIL looking up CAA for kwitnaca.majchrowski.waw.pl, While processing CAA for www.majchrowski.waw.pl: DNS problem: SERVFAIL looking up CAA for www.majchrowski.waw.pl, While processing CAA for mail.majchrowski.waw.pl: DNS problem: SERVFAIL looking up CAA for mail.majchrowski.waw.pl, While processing CAA for nextcloud.majchrowski.waw.pl: DNS problem: SERVFAIL looking up CAA for nextcloud.majchrowski.waw.pl, While processing CAA for pop3.majchrowski.waw.pl: DNS problem: SERVFAIL looking up CAA for pop3.majchrowski.waw.pl, While processing CAA for ftp.majchrowski.waw.pl: DNS problem: SERVFAIL looking up CAA for ftp.majchrowski.waw.pl
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
ii apache2 2.4.25-3+deb9u6 amd64 Apache HTTP Server

The operating system my web server runs on is (include version):
$ cat /etc/debian_version
9.6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
$ certbot --version
certbot 0.28.0

But:
Once respons is SERVFAIL
;; opcode: QUERY, status: SERVFAIL, id: 56335
https://unboundtest.com/m/CAA/nextcloud.majchrowski.waw.pl/Z25JC4VG

Once repons is NOERROR
;; opcode: QUERY, status: NOERROR, id: 42789
https://unboundtest.com/m/CAA/nextcloud.majchrowski.waw.pl/W7E54ACT

Why? What can I do to renew my cert? If i use DNS plugin it will be OK?

mnordhoff · January 23, 2019, 10:45am

No. Let's Encrypt has to check CAA regardless of which validation method you use.

The DNS resolver is unhappy with pl or waw.pl. It seems one or more of their DNS servers doesn't support random capitalization -- which is valid, but not what Let's Encrypt wants.

I can't figure which response isn't capitalized.

In response to this, the resolver goes into a fallback mode, where it sends the same query to different nameservers and compares the responses. This is unsuccessful, because pl and waw.pl use partially overlapping groups of nameservers, so they have legitimately different responses to some queries.

🔒  pl.      85771  NS  a-dns.pl.
🔒  pl.      85771  NS  b-dns.pl.
🔒  pl.      85771  NS  c-dns.pl.
🔒  pl.      85771  NS  d-dns.pl.
🔒  pl.      85771  NS  e-dns.pl.
🔒  pl.      85771  NS  f-dns.pl.
🔒  pl.      85771  NS  g-dns.pl.
🔒  pl.      85771  NS  h-dns.pl.
🔒  pl.      85771  NS  i-dns.pl.
🔒  waw.pl.  85857  NS  a-dns.pl.
🔒  waw.pl.  85857  NS  b-dns.pl.
🔒  waw.pl.  85857  NS  e-dns.pl.
🔒  waw.pl.  85857  NS  f-dns.pl.
🔒  waw.pl.  85857  NS  h-dns.pl.

$ dig +bufsize=512 +dnssec +ignore +norecurse @194.0.1.2 Nextcloud.majchrowski.waw.pl caa

; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> +bufsize +dnssec +ignore +norecurse @194.0.1.2 Nextcloud.majchrowski.waw.pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58464
;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.majchrowski.waw.pl.  IN      CAA

;; AUTHORITY SECTION:
majchrowski.waw.pl.     86400   IN      NS      dns1.majchrowski.waw.pl.
majchrowski.waw.pl.     86400   IN      NS      dns3.majchrowski.waw.pl.

;; Query time: 124 msec
;; SERVER: 194.0.1.2#53(194.0.1.2)
;; WHEN: Wed Jan 23 10:32:32 UTC 2019
;; MSG SIZE  rcvd: 95

$ dig +bufsize=512 +dnssec +ignore +nocookie +norecurse @156.154.100.15 Nextcloud.majchrowski.waw.pl caa

; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> +bufsize +dnssec +ignore +nocookie +norecurse @156.154.100.15 Nextcloud.majchrowski.waw.pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29298
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.majchrowski.waw.pl.  IN      CAA

;; AUTHORITY SECTION:
waw.pl.                 86400   IN      NS      a-dns.pl.
waw.pl.                 86400   IN      NS      f-dns.pl.
waw.pl.                 86400   IN      NS      b-dns.pl.
waw.pl.                 86400   IN      NS      e-dns.pl.
waw.pl.                 86400   IN      NS      h-dns.pl.
waw.pl.                 86400   IN      DS      21775 8 2 D92FE9D8AC19F0660FADAB4DDAC2149F831413DF702EA5E0E7141153 1E97F0BE
waw.pl.                 86400   IN      DS      21775 8 1 370ACF23A5D6D518D9E80381E2E2A239217E6B50
waw.pl.                 86400   IN      RRSIG   DS 8 2 86400 20190221120000 20190122120000 54420 pl. G1ZknMk9z9Und+TisyMyBqwZxtwsLfD7Zgtj0Nx6DyU8+PH4nETXljp3 t/mDc3GHp5jvgSMlj66fva3YPN/kK7eIO121qPhCXXvqO/apItbi13Nv 8Pqf76y80AXTu8MTIAKkBGOaX5NJd2fc+MQQJJ2oDHNutmN3j37BzdmO 6pk=

;; ADDITIONAL SECTION:
a-dns.pl.               86400   IN      A       194.181.87.156
b-dns.pl.               86400   IN      A       192.195.72.53
e-dns.pl.               86400   IN      A       46.28.245.82
f-dns.pl.               86400   IN      A       77.79.212.238
h-dns.pl.               86400   IN      A       194.0.1.2
a-dns.pl.               86400   IN      AAAA    2001:a10:121:1::156

;; Query time: 1 msec
;; SERVER: 156.154.100.15#53(156.154.100.15)
;; WHEN: Wed Jan 23 10:32:46 UTC 2019
;; MSG SIZE  rcvd: 511

It succeeds or fails depending on which servers the resolver has the luck to query.

It would be nice if the TLD changed their nameservers, but trying to get them to probably wouldn't be easy.

Let's Encrypt doesn't want to turn off random capitalization.

You might have better luck if you maintain more certificates with fewer names each. But it's a problem.

_az · January 23, 2019, 11:23am

Well, according to Unbound's serviced_check_qname where it compares parts of a label:

d1: 107 119 105 116 110 97 99 97
d2: 75  87  73  116 78  97 99 65
[1548241566] libunbound[7212:0] info: wrong 0x20-ID in reply qname
[1548241566] libunbound[7212:0] info: from server 194.0.1.2 port 53

which is:

d1: kwitnaca
d2: KWItNacA

and other times:

d1: 112 108
d2: 80  76

(which is just different cases of pl).

And I can confirm seeing at least one of those cases on the wire.

I have a capture where a query went out for i-dns.PL IN AAAA and got a response qname of i-dns.pl IN AAAA.

Really weird, since it returns the correct caps most of the time ...

But for some reason Unbound sent out that i-dns.pl query twice, so maybe some TCP shenanigans is going on there ... (though neither response had the right caps)

kwit.pcap (86.8 KB)

You can use display filter to find the caps-failing exchange:

lower(dns.qry.name) == "i-dns.pl" && ip.addr == 194.0.1.2

mnordhoff · January 23, 2019, 11:58am

For me, b-dns.pl’s IPv6 address 2001:7f9:c::53 doesn’t respond.

I get caps from all of the servers that do respond, though. Usually truncated, but still.

$ mhost -bnqS pl | xargs mhost -q | xargs -I _ dig @_ +bufsize=512 +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa | awk '{print "    " $0}'

; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @194.181.87.156 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61301
;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; Query time: 129 msec
;; SERVER: 194.181.87.156#53(194.181.87.156)
;; WHEN: Wed Jan 23 11:32:16 UTC 2019
;; MSG SIZE  rcvd: 57


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @2001:a10:121:1::156 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22617
;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; Query time: 126 msec
;; SERVER: 2001:a10:121:1::156#53(2001:a10:121:1::156)
;; WHEN: Wed Jan 23 11:32:16 UTC 2019
;; MSG SIZE  rcvd: 57


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @192.195.72.53 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62792
;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; Query time: 112 msec
;; SERVER: 192.195.72.53#53(192.195.72.53)
;; WHEN: Wed Jan 23 11:32:16 UTC 2019
;; MSG SIZE  rcvd: 57


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @2001:7f9:c::53 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @93.190.128.146 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17858
;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; AUTHORITY SECTION:
Waw.Pl.			86400	IN	NS	a-dns.Pl.
Waw.Pl.			86400	IN	NS	b-dns.Pl.
Waw.Pl.			86400	IN	NS	e-dns.Pl.
Waw.Pl.			86400	IN	NS	f-dns.Pl.
Waw.Pl.			86400	IN	NS	h-dns.Pl.
Waw.Pl.			86400	IN	DS	21775 8 1 370ACF23A5D6D518D9E80381E2E2A239217E6B50
Waw.Pl.			86400	IN	DS	21775 8 2 D92FE9D8AC19F0660FADAB4DDAC2149F831413DF702EA5E0E7141153 1E97F0BE
Waw.Pl.			86400	IN	RRSIG	DS 8 2 86400 20190221120000 20190122120000 54420 pl. G1ZknMk9z9Und+TisyMyBqwZxtwsLfD7Zgtj0Nx6DyU8+PH4nETXljp3 t/mDc3GHp5jvgSMlj66fva3YPN/kK7eIO121qPhCXXvqO/apItbi13Nv 8Pqf76y80AXTu8MTIAKkBGOaX5NJd2fc+MQQJJ2oDHNutmN3j37BzdmO 6pk=

;; Query time: 114 msec
;; SERVER: 93.190.128.146#53(93.190.128.146)
;; WHEN: Wed Jan 23 11:32:31 UTC 2019
;; MSG SIZE  rcvd: 403


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @2a02:38:14::146 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14755
;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; AUTHORITY SECTION:
Waw.Pl.			86400	IN	NS	a-dns.Pl.
Waw.Pl.			86400	IN	NS	b-dns.Pl.
Waw.Pl.			86400	IN	NS	e-dns.Pl.
Waw.Pl.			86400	IN	NS	f-dns.Pl.
Waw.Pl.			86400	IN	NS	h-dns.Pl.
Waw.Pl.			86400	IN	DS	21775 8 1 370ACF23A5D6D518D9E80381E2E2A239217E6B50
Waw.Pl.			86400	IN	DS	21775 8 2 D92FE9D8AC19F0660FADAB4DDAC2149F831413DF702EA5E0E7141153 1E97F0BE
Waw.Pl.			86400	IN	RRSIG	DS 8 2 86400 20190221120000 20190122120000 54420 pl. G1ZknMk9z9Und+TisyMyBqwZxtwsLfD7Zgtj0Nx6DyU8+PH4nETXljp3 t/mDc3GHp5jvgSMlj66fva3YPN/kK7eIO121qPhCXXvqO/apItbi13Nv 8Pqf76y80AXTu8MTIAKkBGOaX5NJd2fc+MQQJJ2oDHNutmN3j37BzdmO 6pk=

;; Query time: 121 msec
;; SERVER: 2a02:38:14::146#53(2a02:38:14::146)
;; WHEN: Wed Jan 23 11:32:31 UTC 2019
;; MSG SIZE  rcvd: 403


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @81.15.133.186 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34873
;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; AUTHORITY SECTION:
Waw.Pl.			86400	IN	NS	a-dns.Pl.
Waw.Pl.			86400	IN	NS	b-dns.Pl.
Waw.Pl.			86400	IN	NS	e-dns.Pl.
Waw.Pl.			86400	IN	NS	f-dns.Pl.
Waw.Pl.			86400	IN	NS	h-dns.Pl.
Waw.Pl.			86400	IN	DS	21775 8 1 370ACF23A5D6D518D9E80381E2E2A239217E6B50
Waw.Pl.			86400	IN	DS	21775 8 2 D92FE9D8AC19F0660FADAB4DDAC2149F831413DF702EA5E0E7141153 1E97F0BE
Waw.Pl.			86400	IN	RRSIG	DS 8 2 86400 20190221120000 20190122120000 54420 pl. G1ZknMk9z9Und+TisyMyBqwZxtwsLfD7Zgtj0Nx6DyU8+PH4nETXljp3 t/mDc3GHp5jvgSMlj66fva3YPN/kK7eIO121qPhCXXvqO/apItbi13Nv 8Pqf76y80AXTu8MTIAKkBGOaX5NJd2fc+MQQJJ2oDHNutmN3j37BzdmO 6pk=

;; Query time: 135 msec
;; SERVER: 81.15.133.186#53(81.15.133.186)
;; WHEN: Wed Jan 23 11:32:32 UTC 2019
;; MSG SIZE  rcvd: 403


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @2a00:4120:8000:2::186 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52704
;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; AUTHORITY SECTION:
Waw.Pl.			86400	IN	NS	a-dns.Pl.
Waw.Pl.			86400	IN	NS	b-dns.Pl.
Waw.Pl.			86400	IN	NS	e-dns.Pl.
Waw.Pl.			86400	IN	NS	f-dns.Pl.
Waw.Pl.			86400	IN	NS	h-dns.Pl.
Waw.Pl.			86400	IN	DS	21775 8 1 370ACF23A5D6D518D9E80381E2E2A239217E6B50
Waw.Pl.			86400	IN	DS	21775 8 2 D92FE9D8AC19F0660FADAB4DDAC2149F831413DF702EA5E0E7141153 1E97F0BE
Waw.Pl.			86400	IN	RRSIG	DS 8 2 86400 20190221120000 20190122120000 54420 pl. G1ZknMk9z9Und+TisyMyBqwZxtwsLfD7Zgtj0Nx6DyU8+PH4nETXljp3 t/mDc3GHp5jvgSMlj66fva3YPN/kK7eIO121qPhCXXvqO/apItbi13Nv 8Pqf76y80AXTu8MTIAKkBGOaX5NJd2fc+MQQJJ2oDHNutmN3j37BzdmO 6pk=

;; Query time: 140 msec
;; SERVER: 2a00:4120:8000:2::186#53(2a00:4120:8000:2::186)
;; WHEN: Wed Jan 23 11:32:32 UTC 2019
;; MSG SIZE  rcvd: 403


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @46.28.245.82 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18047
;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; Query time: 125 msec
;; SERVER: 46.28.245.82#53(46.28.245.82)
;; WHEN: Wed Jan 23 11:32:32 UTC 2019
;; MSG SIZE  rcvd: 57


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @77.79.212.238 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33506
;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; Query time: 128 msec
;; SERVER: 77.79.212.238#53(77.79.212.238)
;; WHEN: Wed Jan 23 11:32:32 UTC 2019
;; MSG SIZE  rcvd: 57


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @2001:1a68:0:17::238 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34885
;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; Query time: 125 msec
;; SERVER: 2001:1a68:0:17::238#53(2001:1a68:0:17::238)
;; WHEN: Wed Jan 23 11:32:32 UTC 2019
;; MSG SIZE  rcvd: 57


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @149.156.1.252 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25164
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; AUTHORITY SECTION:
waw.pl.			86400	IN	NS	e-dns.pl.
waw.pl.			86400	IN	NS	h-dns.pl.
waw.pl.			86400	IN	NS	a-dns.pl.
waw.pl.			86400	IN	NS	b-dns.pl.
waw.pl.			86400	IN	NS	f-dns.pl.
waw.pl.			86400	IN	DS	21775 8 1 370ACF23A5D6D518D9E80381E2E2A239217E6B50
waw.pl.			86400	IN	DS	21775 8 2 D92FE9D8AC19F0660FADAB4DDAC2149F831413DF702EA5E0E7141153 1E97F0BE
waw.pl.			86400	IN	RRSIG	DS 8 2 86400 20190221120000 20190122120000 54420 pl. G1ZknMk9z9Und+TisyMyBqwZxtwsLfD7Zgtj0Nx6DyU8+PH4nETXljp3 t/mDc3GHp5jvgSMlj66fva3YPN/kK7eIO121qPhCXXvqO/apItbi13Nv 8Pqf76y80AXTu8MTIAKkBGOaX5NJd2fc+MQQJJ2oDHNutmN3j37BzdmO 6pk=

;; ADDITIONAL SECTION:
a-dns.pl.		86400	IN	A	194.181.87.156
b-dns.pl.		86400	IN	A	192.195.72.53
e-dns.pl.		86400	IN	A	46.28.245.82
f-dns.pl.		86400	IN	A	77.79.212.238
h-dns.pl.		86400	IN	A	194.0.1.2

;; Query time: 131 msec
;; SERVER: 149.156.1.252#53(149.156.1.252)
;; WHEN: Wed Jan 23 11:32:32 UTC 2019
;; MSG SIZE  rcvd: 489


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @2001:6d8:1001:1::252 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39631
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; AUTHORITY SECTION:
waw.pl.			86400	IN	NS	b-dns.pl.
waw.pl.			86400	IN	NS	a-dns.pl.
waw.pl.			86400	IN	NS	e-dns.pl.
waw.pl.			86400	IN	NS	h-dns.pl.
waw.pl.			86400	IN	NS	f-dns.pl.
waw.pl.			86400	IN	DS	21775 8 1 370ACF23A5D6D518D9E80381E2E2A239217E6B50
waw.pl.			86400	IN	DS	21775 8 2 D92FE9D8AC19F0660FADAB4DDAC2149F831413DF702EA5E0E7141153 1E97F0BE
waw.pl.			86400	IN	RRSIG	DS 8 2 86400 20190221120000 20190122120000 54420 pl. G1ZknMk9z9Und+TisyMyBqwZxtwsLfD7Zgtj0Nx6DyU8+PH4nETXljp3 t/mDc3GHp5jvgSMlj66fva3YPN/kK7eIO121qPhCXXvqO/apItbi13Nv 8Pqf76y80AXTu8MTIAKkBGOaX5NJd2fc+MQQJJ2oDHNutmN3j37BzdmO 6pk=

;; ADDITIONAL SECTION:
a-dns.pl.		86400	IN	AAAA	2001:a10:121:1::156
b-dns.pl.		86400	IN	AAAA	2001:7f9:c::53
f-dns.pl.		86400	IN	AAAA	2001:1a68:0:17::238

;; Query time: 127 msec
;; SERVER: 2001:6d8:1001:1::252#53(2001:6d8:1001:1::252)
;; WHEN: Wed Jan 23 11:32:32 UTC 2019
;; MSG SIZE  rcvd: 493


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @194.0.1.2 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59574
;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; AUTHORITY SECTION:
Majchrowski.Waw.Pl.	86400	IN	NS	dns1.majchrowski.waw.pl.
Majchrowski.Waw.Pl.	86400	IN	NS	dns3.majchrowski.waw.pl.

;; Query time: 132 msec
;; SERVER: 194.0.1.2#53(194.0.1.2)
;; WHEN: Wed Jan 23 11:32:33 UTC 2019
;; MSG SIZE  rcvd: 113


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @2001:678:4::2 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45895
;; flags: qr tc; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; AUTHORITY SECTION:
Majchrowski.Waw.Pl.	86400	IN	NS	dns1.majchrowski.waw.pl.
Majchrowski.Waw.Pl.	86400	IN	NS	dns3.majchrowski.waw.pl.

;; Query time: 116 msec
;; SERVER: 2001:678:4::2#53(2001:678:4::2)
;; WHEN: Wed Jan 23 11:32:33 UTC 2019
;; MSG SIZE  rcvd: 113


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @156.154.100.15 +bufsize +dnssec +ignore +nocookie +norecurse Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54505
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;Nextcloud.Majchrowski.Waw.Pl.	IN	CAA

;; AUTHORITY SECTION:
waw.pl.			86400	IN	NS	b-dns.pl.
waw.pl.			86400	IN	NS	f-dns.pl.
waw.pl.			86400	IN	NS	e-dns.pl.
waw.pl.			86400	IN	NS	a-dns.pl.
waw.pl.			86400	IN	NS	h-dns.pl.
waw.pl.			86400	IN	DS	21775 8 1 370ACF23A5D6D518D9E80381E2E2A239217E6B50
waw.pl.			86400	IN	DS	21775 8 2 D92FE9D8AC19F0660FADAB4DDAC2149F831413DF702EA5E0E7141153 1E97F0BE
waw.pl.			86400	IN	RRSIG	DS 8 2 86400 20190221120000 20190122120000 54420 pl. G1ZknMk9z9Und+TisyMyBqwZxtwsLfD7Zgtj0Nx6DyU8+PH4nETXljp3 t/mDc3GHp5jvgSMlj66fva3YPN/kK7eIO121qPhCXXvqO/apItbi13Nv 8Pqf76y80AXTu8MTIAKkBGOaX5NJd2fc+MQQJJ2oDHNutmN3j37BzdmO 6pk=

;; ADDITIONAL SECTION:
a-dns.pl.		86400	IN	A	194.181.87.156
b-dns.pl.		86400	IN	A	192.195.72.53
e-dns.pl.		86400	IN	A	46.28.245.82
f-dns.pl.		86400	IN	A	77.79.212.238
h-dns.pl.		86400	IN	A	194.0.1.2

;; Query time: 6 msec
;; SERVER: 156.154.100.15#53(156.154.100.15)
;; WHEN: Wed Jan 23 11:32:33 UTC 2019
;; MSG SIZE  rcvd: 489

Ah-ha, using TCP, h-dns.pl (194.0.1.2) responds in lowercase! What the heck.

; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @194.0.1.2 +bufsize +dnssec +ignore +nocookie +norecurse +tcp Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60639
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nextcloud.majchrowski.waw.pl.	IN	CAA

;; AUTHORITY SECTION:
majchrowski.waw.pl.	86400	IN	NS	dns1.majchrowski.waw.pl.
majchrowski.waw.pl.	86400	IN	NS	dns3.majchrowski.waw.pl.
uc3srqs3tp3g6aed84qi7jn2ek72c469.waw.pl. 3600 IN NSEC3 1 1 12 466053D429A715942C3F UCHLI08LQ00M1K6E7ICTVCSK21I4GR6D NS SOA RRSIG DNSKEY NSEC3PARAM
uc3srqs3tp3g6aed84qi7jn2ek72c469.waw.pl. 3600 IN RRSIG NSEC3 8 3 3600 20190221120000 20190122120000 7900 waw.pl. X9bNkgvwzVH8UF/CKtgYBYIlm16RDSYI4XTW5AEjNJDl4zDsy0GE0fKG AiFVcAArR5/k3wukShFZHA3MWmPTtxMIQm2w6q2VS1OH1WMqjyLT7ZBM 5y1qtwUyh3hcW2j4u0RhPrKLMUXcouxk+IGyVstjB/tHI8PTUkHb+Ew7 +PA=
fidia5eopmev292qjf2hsc4e2jmn86u0.waw.pl. 3600 IN NSEC3 1 1 12 466053D429A715942C3F FKJ4H4DIKBUM3046LTF3RC8POBFOGJPS NS DS RRSIG
fidia5eopmev292qjf2hsc4e2jmn86u0.waw.pl. 3600 IN RRSIG NSEC3 8 3 3600 20190221120000 20190122120000 7900 waw.pl. Domptvqvks9GhmxYYVzuJdLnl5gisjPOvT3ubsju+Nd+n+K+CJF9pwMo sTKpmlpJEph6F3gXxq8NmLe7wQPIY8Y8l4c8pQB6QN3F8s11JzuVBkMO w70pietVTzPK8eIxSXg3UjHTMcwSzlT3pEnjvDJi8woHopgAH7gS26WG vAo=

;; ADDITIONAL SECTION:
dns3.majchrowski.waw.pl. 86400	IN	A	194.15.120.12
dns1.majchrowski.waw.pl. 86400	IN	A	82.177.154.177

;; Query time: 120 msec
;; SERVER: 194.0.1.2#53(194.0.1.2)
;; WHEN: Wed Jan 23 11:36:14 UTC 2019
;; MSG SIZE  rcvd: 686


; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @2001:678:4::2 +bufsize +dnssec +ignore +nocookie +norecurse +tcp Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5114
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nextcloud.majchrowski.waw.pl.	IN	CAA

;; AUTHORITY SECTION:
majchrowski.waw.pl.	86400	IN	NS	dns1.majchrowski.waw.pl.
majchrowski.waw.pl.	86400	IN	NS	dns3.majchrowski.waw.pl.
uc3srqs3tp3g6aed84qi7jn2ek72c469.waw.pl. 3600 IN NSEC3 1 1 12 466053D429A715942C3F UCHLI08LQ00M1K6E7ICTVCSK21I4GR6D NS SOA RRSIG DNSKEY NSEC3PARAM
uc3srqs3tp3g6aed84qi7jn2ek72c469.waw.pl. 3600 IN RRSIG NSEC3 8 3 3600 20190221120000 20190122120000 7900 waw.pl. X9bNkgvwzVH8UF/CKtgYBYIlm16RDSYI4XTW5AEjNJDl4zDsy0GE0fKG AiFVcAArR5/k3wukShFZHA3MWmPTtxMIQm2w6q2VS1OH1WMqjyLT7ZBM 5y1qtwUyh3hcW2j4u0RhPrKLMUXcouxk+IGyVstjB/tHI8PTUkHb+Ew7 +PA=
fidia5eopmev292qjf2hsc4e2jmn86u0.waw.pl. 3600 IN NSEC3 1 1 12 466053D429A715942C3F FKJ4H4DIKBUM3046LTF3RC8POBFOGJPS NS DS RRSIG
fidia5eopmev292qjf2hsc4e2jmn86u0.waw.pl. 3600 IN RRSIG NSEC3 8 3 3600 20190221120000 20190122120000 7900 waw.pl. Domptvqvks9GhmxYYVzuJdLnl5gisjPOvT3ubsju+Nd+n+K+CJF9pwMo sTKpmlpJEph6F3gXxq8NmLe7wQPIY8Y8l4c8pQB6QN3F8s11JzuVBkMO w70pietVTzPK8eIxSXg3UjHTMcwSzlT3pEnjvDJi8woHopgAH7gS26WG vAo=

;; ADDITIONAL SECTION:
dns3.majchrowski.waw.pl. 86400	IN	A	194.15.120.12
dns1.majchrowski.waw.pl. 86400	IN	A	82.177.154.177

;; Query time: 105 msec
;; SERVER: 2001:678:4::2#53(2001:678:4::2)
;; WHEN: Wed Jan 23 11:36:14 UTC 2019
;; MSG SIZE  rcvd: 686

gist.github.com

https://gist.github.com/mnordhoff/c87ee308bf70a2358ddc1d6eb5793a99

gistfile1.txt

$ mhost -bnqS pl | xargs mhost -q | xargs -I _ dig @_ +bufsize=512 +dnssec +ignore +nocookie +norecurse +tcp Nextcloud.Majchrowski.Waw.Pl caa | awk '{print "    " $0}'

; <<>> DiG 9.13.5-1+ubuntu16.04.1+deb.sury.org+2-Ubuntu <<>> @194.181.87.156 +bufsize +dnssec +ignore +nocookie +norecurse +tcp Nextcloud.Majchrowski.Waw.Pl caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46534
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 3

;; OPT PSEUDOSECTION:

This file has been truncated. show original

P.s. half the time it took me to make this post was making mistakes, the post being twice the size the forum allows, my browser/OS having issues, and having to rewrite one line that was lost.

Edit: Hahaha, the line didn’t get lost. I just didn’t see it.

majherek · January 23, 2019, 1:19pm

sum up: everyone who has a domain at waw.pl is now unable to generate complex certificates, with many alternative names …?

mnordhoff · January 23, 2019, 1:40pm

That seems to be the case, yes.

There may be other similarly-configured second-level domains, too.

majherek · January 23, 2019, 1:47pm

edu.pl, gov.pl, mil.pl… They have different numbers of server than NS for .pl.

Nice…

mnordhoff · January 23, 2019, 1:48pm

More than waw.pl, though.

majherek · January 23, 2019, 1:50pm

I think every in (at least):
https://www.dns.pl/lista_domen_regionalnych

majherek · February 13, 2019, 10:20am

Hi,

I had answer from NASK that they fix the problem.

Szanowny Panie,

W nawiązaniu do poniższej wiadomości uprzejmie informujemy, że problem został rozwiązany.

Z poważaniem
Anna Zaworska
Centrum Obsługi Klienta DNS

Niniejsza  wiadomość  jest  własnością  NASK  i  może  zawierać  informacje stanowiące tajemnicę  przedsiębiorstwa, poufne  i/lub  prawnie  chronione.  Jeśli  nie  są  Państwo właściwym adresatem (lub otrzymali Państwo wiadomość na skutek pomyłki), prosimy o tym fakcie niezwłocznie poinformować nadawcę i usunąć otrzymaną wiadomość. Każde nieautoryzowane kopiowanie, ujawnianie lub rozpowszechnianie załączonej informacji jest zabronione.

This e-mail is  property of NASK and may contain business secrets, confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail by  mistake)  please  notify  the  sender  immediately  and  destroy  this  e-mail.  Any unauthorized  copying,  disclosure  or  distribution  of  the  material  in  this  e-mail  is  strictly forbidden.

----- 24 sty 2019 o 15:56, Info DNS &lt;[info@dns.pl](mailto:info@dns.pl)&gt; napisał(a):

> Szanowny Panie,
>
> Dziękujemy za zgłoszenie. Nasi specjaliści prowadzą analizę problemu. Poinformujemy Pana gdy będziemy mieli więcej informacji.
>
> Z poważaniem
> Bartosz Łachowski
> Centrum Obsługi Klienta DNS
>
> Niniejsza wiadomość jest własnością NASK i może zawierać informacje stanowiące tajemnicę przedsiębiorstwa, poufne  i/lub prawnie chronione. Jeśli nie są Państwo właściwym adresatem (lub otrzymali Państwo wiadomość na skutek pomyłki), prosimy o tym fakcie niezwłocznie poinformować nadawcę i usunąć otrzymaną wiadomość. Każde nieautoryzowane kopiowanie, ujawnianie lub rozpowszechnianie załączonej informacji jest zabronione.
>
>
> This e-mail is  property of NASK and may contain business secrets, confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail by  mistake)  please  notify  the  sender  immediately  and  destroy  this  e-mail.  Any unauthorized  copying,  disclosure  or  distribution  of  the  material  in  this  e-mail  is  strictly forbidden.
>
>
>
>
> ----- 23 sty 2019 o 15:17, Marek Maj(c)herek Majchrowski &lt;[majherek@majherek.pl](mailto:majherek@majherek.pl)&gt; napisał(a):
> > Dzień dobry,
> >
> > chciałem zgłosić problem z generacją certyfikatów Let's Encrypt dla domen regionalnych dostępnych na stronie: https://www.dns.pl/lista_domen_regionalnych
> > Sprawę zgłosiłem tutaj: https://community.letsencrypt.org/t/yet-another-caa-servfail-issue/83737
> > Let's Encrypt musi sprawdzić rekord CAA niezależnie od używanej metody sprawdzania poprawności certyfikatów.
> > Wygląda na to, że co najmniej jeden z serwerów DNS nie obsługuje przypadkowych wielkich liter - co samo w sobie jest poprawne i czego spodziewa się Let's Encrypt.
> > W odpowiedzi na to resolver Let's Encrypt przechodzi w tryb awaryjny, w którym wysyła to samo zapytanie do różnych serwerów nazw i porównuje odpowiedzi. To się nie udaje, ponieważ pl i [waw.pl](http://waw.pl/) wykorzystują częściowo nakładające się na siebie grupy serwerów nazw, więc mają uzasadnione odmienne odpowiedzi na niektóre zapytania.
> > Wydaje mi się, że nie jestem jestem jedyną osobą, która z tego powodu ma problemy, a co najwidoczniej jest problemem konfiguracyjnym po stronie NASKu ([dns.pl](http://dns.pl/)). 
> > Tu przykład sprawdzania rekordów CAA:
> >
> > Once respons is SERVFAIL
> > ;; opcode: QUERY, status: SERVFAIL, id: 56335
> > https://unboundtest.com/m/CAA/nextcloud.majchrowski.waw.pl/Z25JC4VG
> >
> > Once repons is NOERROR
> > ;; opcode: QUERY, status: NOERROR, id: 42789
> > https://unboundtest.com/m/CAA/nextcloud.majchrowski.waw.pl/W7E54ACT

system · March 15, 2019, 10:20am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.