-
-
Notifications
You must be signed in to change notification settings - Fork 595
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SERVFAIL looking up A for subdomain.example.com (but worked before) #1411
Comments
Nothing has changed recently in our DNS resolution methods, looking at how my local Unbound resolver responds to a query for you domain it seems like your DNS server is returning a malformed response.
|
I checked the DNS setup with like 5 online tools, and the only problem they detect is that some TTL values are lower than recommended. Does letsencrypt.org run Unbound as well? I tried to read the Unbound source to see if I could make sense out of what triggers that validation error; in Still, I don't understand what it considers wrong while all the other tools seem to work okay. |
Okay, I'm convinced now that the problem is on my side somehow. |
I haven't solved it yet, but here's more context from my problem: http://serverfault.com/questions/755803/how-are-dns-timeouts-supposed-to-work/755918 |
So I've tried to debug this more and now I think this is a Boulder problem, again. I've seen that some of the answers can be of the |
The DNS server we are using also converts REFUSED into SERVFAIL, possibly that's what you're seeing? Timeouts are also a issuance blocker. |
It seems unlikely. I tried to compile and execute the |
maybe you can print out query logs |
BTW, yesterday one of the domains where I was having this problem had its previous LE certificate (from 2015-12-05) expire. Since I used HSTS, I could not do
|
FYI, http-01 works fine even with HSTS and http -> https redirects. The Boulder server does not record HSTS state, and it does follow redirects. |
That makes sense, but I bet it doesn't work when the https is on an (LE) expired cert. |
@djc: Nope, still works. Because the authentication is control of the IP, TLS validation is ignored. |
i'm having the same problem with deonthomas.com, it seems opendns and other dns servers have my record but not google. you can test by running. |
I'm going to close out this issue because there are a lot of possible causes of SERVFAIL, and they're generally not related to each other. @princeamd: Your problem sounds like it might be bad DNSSEC records, since Google and Let's Encrypt validate DNSSEC, but OpenDNS may not. If that doesn't solve your problem, could you post on https://community.letsencrypt.org for more help? Thanks! |
@jsha as far as I know my original issue still stands; renewing my certificates in April, I had the same problem again. |
@djc testing locally with |
@rolandshoemaker I've now added an explicit CNAME record for |
|
|
It seems that I'm using a different version of |
I find no problem with the domain xavamedia.nl , neither by hand or with DNSviz. RIPE Atlas probes (many of them use a validating resolver) can resolve it. (There are only two things to notice, both legal: their name servers return sometimes the RRSIG before the SOA, legal but unusual, and the domain uses wildcards, always a risky thing with DNSSEC.) Therefore, I tend to say that Let's Encrypt is wrong. |
There's no DNSSEC going on here, though, right? |
I am currently having the same issue using bind as DNS server. Everything resolves fine from multiple points, the subdomain is explicitly defined, DNSSEC has been turned off as a test, both don't work. |
@Techwolf12 If you're having an issue with DNS resolution please open a new issue that includes the domain name(s) in question. |
@cpu After testing with a lower TTL, it seems to be an issue with DNSSEC and Letsencrypt. |
@Techwolf12 Interesting - happy to help troubleshoot that in a separate issue as well. As far as I'm aware our resolver should support DNSSEC without any known issues. |
Hi all! This issue thread has been popular for people to post a variety of DNS resolution problems with Let's Encrypt, not necessarily related. I'm guessing that's because it ranks high on Google for its error message. Most types of problems that result in "SERVFAIL looking up A for ..." are not related to the original post here, and most of them require individual debugging. If you're having this problem, please visit https://community.letsencrypt.org/ and post a new topic describing your setup and including your real domain name. We have a pretty active community there that will help diagnose the problem. Thanks! |
In trying to create a certificate for a new subdomain I wanted to set up, I ran into this problem:
DNS problem: SERVFAIL looking up A for mysql.xavamedia.nl
There is no exact A record for mysql.xavamedia.nl; but it should be resolvable using a wildcard DNS entry for *.xavamedia.nl. Previously (December 5), this worked correctly for dirkjan.ochtman.nl, which is the same kind of setup, with the same name servers and the same actual host. However, when trying to create a new certificate for dirkjan.ochtman.nl, it fails the same way as mysql.xavamedia.nl.
On the other hand, I was able to have LE certify ochtman.nl and xavamedia.nl today. I also just successfully requested a certificate for enrai.xavamedia.nl, which does have an explicit A record in the DNS setup for xavamedia.nl. (FWIW, I was using acme-tiny, not the official client.)
Slight update: I just created an explicit A record for mysql.xavamedia.nl, and was able to successfully create a certificate for it, so I confirmed that there is a difference for me.
Is this an intentional change, or is there a regression (maybe having to do with the DNS validation feature that was deployed recently)? To me, the previous behavior made more sense.
The text was updated successfully, but these errors were encountered: