fsebugoutzone.org:9999

       Post AcuIOM59IeS4qfH1Um by geb@mamot.fr
 (DIR) More posts by geb@mamot.fr
 (DIR) Post #AcuDh5M5DMeihbJ3Am by geb@mamot.fr
       2023-12-17T16:07:07Z
       
       0 likes, 0 repeats
       
       Hi #DNS folks. I am encountering an issue with LetsEncrypt. It seems that their resolver now returns SERVFAIL when receiving NXDOMAIN for CAA records, preventing to issue (renew?) certificates, in some conditions. There are many posts of people stuck with the problem. Some pointing a powerDNS bug (which my provider is likely to use).However, the last line of their debug tool makes me suspucious. Ex- https://unboundtest.com/m/TXT/tp10.goessens.fr/4FVOKLRX- https://unboundtest.com/m/CAA/tp10.goessens.fr/2YWKID6V@bortzmeyer opinion ?
       
 (DIR) Post #AcuDh6OxKAY1wnerI0 by bortzmeyer@mastodon.gougere.fr
       2023-12-17T16:19:45Z
       
       0 likes, 0 repeats
       
       @geb Why would a NXDOMAIN be returned? I tested this domain name and it does exist. And TXT and CAA requests, predictably, return NODATA (NO ERROR + answer=0)
       
 (DIR) Post #AcuEB8ahkSJVQRTX72 by geb@mamot.fr
       2023-12-17T16:23:44Z
       
       0 likes, 0 repeats
       
       @bortzmeyer Right, sorry, still, I don&#39;t understand why unbound and so letsencrypt send a SERVFAIL in this case (https://github.com/NLnetLabs/unbound/issues/946 ?). I hope it won&#39;t block certs renewal...
       
 (DIR) Post #AcuEjoaM7XWjVxqc40 by bortzmeyer@mastodon.gougere.fr
       2023-12-17T16:31:31Z
       
       0 likes, 0 repeats
       
       @geb Funny, I think I had this bug in Drink (failing to return SOA for NODATA) and it indeed created problems.
       
 (DIR) Post #AcuEs1Db2GlD0m77ku by geb@mamot.fr
       2023-12-17T16:32:58Z
       
       0 likes, 0 repeats
       
       @bortzmeyer funny maybe, but the bug seems to be on the production LetsEncrypt resolvers 😨
       
 (DIR) Post #AcuFDiDmLZ58SpXlGy by bortzmeyer@mastodon.gougere.fr
       2023-12-17T16:36:55Z
       
       0 likes, 0 repeats
       
       @geb I currently just have a smartphone so I cannot investigate seriously but the way I understand the Unbound ticket, the bug is in the authoritative server, which does not return SOA for NODATA?
       
 (DIR) Post #AcuIOM59IeS4qfH1Um by geb@mamot.fr
       2023-12-17T17:12:28Z
       
       0 likes, 0 repeats
       
       @bortzmeyerRight. My test domain `tp10.goessens.fr` is running on dynv6.com which seems to also not return SOA for NODATA.According to my reading of https://www.rfc-editor.org/rfc/rfc2308#section-2.2 this SOA seems to be mandatory or at least excepted (thanks I did not know about!)Letsencrypt advertise for a powerdns bug in https://community.letsencrypt.org/t/caa-servfail-changes/38298/3 and https://letsencrypt.org/docs/caa/ but it seems more related to DNSSEC.Lets hope it won&#39;t block renews. According the amount of posts on LE forum I am not the only one...
       
 (DIR) Post #Acvj7dukddtz9Tcq3s by pmevzek@framapiaf.org
       2023-12-18T03:30:33Z
       
       0 likes, 0 repeats
       
       @geb @bortzmeyer The RFC gives examples of 3 cases of NODATA. But all comes from the beginning text: &quot;The authority section will   contain an SOA record, or there will be no NS records there.&quot;. Any other situation can&#39;t fall under &quot;NODATA&quot; case. As CAA are on names that will be in certificate hence connected to, a query for CAA can not possibly return NXDOMAIN (or at least not permanently). Separately, with DNSSEC and white/black lies, NXDOMAIN may be replaced by NODATA in answers.
       
 (DIR) Post #Acvj7emHQcihpUfaUq by bortzmeyer@mastodon.gougere.fr
       2023-12-18T09:46:38Z
       
       0 likes, 0 repeats
       
       @pmevzek @geb I agree. Now, is there somewhere a summary of the CURRENT problem with ACTUAL examples? Most references seem to be for old tickets, long fixed or, for broken authoritative servers which fail to return the SOA for NODATA (in that case, it is their fault, not Let&#39;s Encrypt&#39;s). My summary: https://framagit.org/-/snippets/7174
       
 (DIR) Post #AcwCJ7tMQ6w5yvnqUa by bortzmeyer@mastodon.gougere.fr
       2023-12-18T15:13:42Z
       
       0 likes, 0 repeats
       
       @pmevzek @geb Better (discussed on the PowerDNS mailing list), mwscdn.ru whose authoritative nameservers reply NXDOMAIN for non-existing query types, such as CAA.
       
 (DIR) Post #AcwUUHhe57PmlpnGYy by geb@mamot.fr
       2023-12-18T18:37:20Z
       
       0 likes, 0 repeats
       
       @bortzmeyer @pmevzek Thanks for the test. I don&#39;t find a lot of recent examples (except maybe https://community.letsencrypt.org/t/potential-networking-client-changes-on-dns-challenges/207967/31) and thanks to your help I now understand that returning SERVFAIL for NODATA without SOA is valid. I am just curious to see how much people will have the issue. The change is quite recent in unbound and according to your own test, not a lot of resolvers behave the same, so it could be quite surprising. Let&#39;s see ... thanks anyway.
       
 (DIR) Post #AcwWlyd7vsh4joFCgS by bortzmeyer@mastodon.gougere.fr
       2023-12-18T19:03:02Z
       
       0 likes, 0 repeats
       
       @geb @pmevzek And the Unbound issue is just for a very specific configuration, which is probably not common.
       
 (DIR) Post #AdUOAkQDt3TsnniuEi by geb@mamot.fr
       2024-01-04T03:06:50Z
       
       0 likes, 0 repeats
       
       @bortzmeyer @pmevzek Apparently the strict unbound SERVFAIL on NODATA without SOA has been corrected. https://github.com/NLnetLabs/unbound/commit/b865aca03a5c653356334c789b54e70c0bd0e08d#diff-960d97da4fff47137f1f6e59ece820988c80424e865244d620c2224fb1b1f605L285 &amp; https://github.com/NLnetLabs/unbound/issues/946