DNS lookup may fail if response has differing case

[jsha]

At https://community.letsencrypt.org/t/the-server-could-not-resolve-a-domain-name/3142/4, mf_bin reports getting unknownHost :: The server could not resolve a domain name :: No IPv4 addresses found for www.leinwand-bilder.com.

They note that the response for that domain is capitalized:

nslookup www.leinwand-bilder.com1 ns2.core-networks.eu
Server: ns2.core-networks.eu
Address: 78.111.72.98#53

Name: www.LEINWAND-BILDER.COM
Address: 82.211.34.132

It's possible that our DNS code doesn't handle responses whose case doesn't match the case of the question. I can reproduce the issue locally: my Boulder instance gives the same error for that domain if I point Boulder at real DNS instead of the local test DNS.

[billzhong]

I am having same issue: unknownHost :: The server could not resolve a domain name :: No IPv4 addresses found for "my domain"

[jsha]

@billzhong: does your domain also have uppercase characters in it when you run nslookup? It would help us debug if you'd post the actual name of your domain. Thanks!

[vfontes]

I'm also having the same issue:

Press ENTER to continue
Failed authorization procedure. radius.canall.com.br (http-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No IPv4 addresses found for radius.canall.com.br

IMPORTANT NOTES:
 - The following 'urn:acme:error:unknownHost' errors were reported by
   the server:

   Domains: radius.canall.com.br
   Error: The server could not resolve a domain name

However, I can resolve the host name without issues on any DNS server:

root@radius:/usr/src/letsencrypt# dig @8.8.8.8 radius.canall.com.br

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @8.8.8.8 radius.canall.com.br
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42159
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;radius.canall.com.br.      IN  A

;; ANSWER SECTION:
radius.canall.com.br.   299 IN  A   172.16.1.8

;; Query time: 141 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jan 12 21:57:19 2016
;; MSG SIZE  rcvd: 54

[jsha]

We use unbound for DNS, which uses query capitalization to add additional bits of query entropy, improving resistance to DNS spoofing. That is often the cause of issues like this one, where we fail to resolve a name that resolves with dig. However, I checked radius.canall.com.br, and it appears to copy over the capitalization, so that's not the issue. I will continue to think about this. Thanks for reporting!

[vfontes]

While you check on this, is there a workaround that would allow me to get this certificate?