Bug? SERVFAILs while requesting SOA records from acme-dns hosted domain

user5921 · November 8, 2018, 5:58am

Hello! I’ve found an issue with a Let’s Encrypt dns-01 challenge
client misbehaving while using 1.1.1.1 as DNS server, which appears to
be caused by that recursor returning SERVFAILs for SOA queries on the challenge
domain.

To reproduce:

$ dig @8.8.8.8 SOA 4442248e-9706-4050-9910-b1f3bde0f362.acme.lfcode.ca | grep "status:"

$ dig @1.1.1.1 SOA 4442248e-9706-4050-9910-b1f3bde0f362.acme.lfcode.ca | grep "status:"

The challenge process succeeds with 8.8.8.8 as it is correctly (?)
returning an NXDOMAIN. The logs of the authoritative nameserver at
acme.lfcode.ca indicate it is returning an NXDOMAIN itself:

Nov 08 05:37:13 abyss acme-dns[19514]: time="2018-11-08T05:37:13Z"
level=debug msg="Answering question for domain"
domain=[4442248e-9706-4050-9910-b1f3bde0f362.acme.lfcode.ca](http://4442248e-9706-4050-9910-b1f3bde0f362.acme.lfcode.ca/). qtype=SOA
rcode=NXDOMAIN
Nov 08 05:37:13 abyss acme-dns[19514]: time="2018-11-08T05:37:13Z"
level=debug msg="Answering question for domain"
domain=[4442248e-9706-4050-9910-b1f3bde0f362.acme.lfcode.ca](http://4442248e-9706-4050-9910-b1f3bde0f362.acme.lfcode.ca/). qtype=SOA
rcode=NXDOMAIN

The application is walking up a label at a time looking for SOA
records, but it is dazed and confused by the SERVFAIL and tries again
until it fails a minute later.

Further logs and information about the issue are available at the
GitHub issue filed about this:

github.com/go-acme/lego

acme-dns challenge: timeouts?

opened 06:45AM - 07 Nov 18 UTC

closed 03:29PM - 08 Nov 18 UTC

lf-

area/dnsprovider

I'm running a version I compiled this evening from `lego-git` on the AUR with th…e command `ACME_DNS_API_BASE=http://127.0.0.1:2500 ACME_DNS_STORAGE_PATH=/var/lib/lego/acme-dns-accounts.json lego --email <spambotsgoaway> -a --dns acme-dns --domains '*.lfcode.ca' --path /var/lib/lego run`, and I'm observing a timeout. Output: ``` 2018/11/07 06:21:52 [INFO] [*.lfcode.ca] acme: Obtaining bundled SAN certificate 2018/11/07 06:21:53 [INFO] [*.lfcode.ca] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/ 2018/11/07 06:21:53 [INFO] [lfcode.ca] acme: Preparing to solve DNS-01 2018/11/07 06:21:53 [INFO] [lfcode.ca] acme: Trying to solve DNS-01 2018/11/07 06:21:53 [INFO] [lfcode.ca] Checking DNS record propagation using [1.1.1.1:53 1.0.0.1:53 [2606:4700:4700::1111]:53 [2606:4700:4700::1001]:53] 2018/11/07 06:21:53 [INFO] Wait [timeout: 1m0s, interval: 2s] 2018/11/07 06:22:53 Could not obtain certificates acme: Error -> One or more domains had a problem: [lfcode.ca] time limit exceeded: last error: could not determine the zone: unexpected response code 'SERVFAIL' for 4442248e-9706-4050-9910-b1f3bde0f362.acme.lfcode.ca. ``` acme-dns logs (don't worry about the timestamps, these are the same lines as were observed the first run): ``` Nov 07 06:41:13 abyss acme-dns[19514]: time="2018-11-07T06:41:13Z" level=debug msg="TXT updated" subdomain=4442248e-9706-4050-9910-b1f3bde0f362 txt=_GMMgk1r8WTHq7SDDpRltBLqy9Qr4yLn3QMCAWjrGAc <...> Nov 07 06:26:34 abyss acme-dns[19514]: time="2018-11-07T06:26:34Z" level=info msg="Answering TXT question for domain" domain=4442248e-9706-4050-9910-b1f3bde0f362.acme.lfcode.ca. Nov 07 06:26:34 abyss acme-dns[19514]: time="2018-11-07T06:26:34Z" level=debug msg="Answering question for domain" domain=4442248e-9706-4050-9910-b1f3bde0f362.acme.lfcode.ca. qtype=SOA rcode=NXDOMAIN <repeated 30 times> ``` Why is lego looking for SOA records? I've checked the domain listed there with dig for TXT records manually and found that there is indeed a record there. I've also tried running with `--dns-resolvers 127.0.0.1` to eliminate any caching misbehaviour. So, in summary: 1. Lego appears to be updating the record to `_GMM.....` 2. It is checking it, and that is indeed the value of the record. 3. It's timing out checking the record is what it just set it to?

Thanks!

Side-note: this forum software is horribly broken in that it aggressively looks for link-looking things (including domain names!) and mangles them into “links” when pasted in.

mnordhoff · November 8, 2018, 11:37am

acme.lfcode.ca has DNS issues.

https://ednscomp.isc.org/ednscomp/cf38574b18

http://dnsviz.net/d/acme.lfcode.ca/W-QcZg/dnssec/

lfcode.ca’s nameservers say acme.lfcode.ca is served by abyss.lfcode.ca.

;; AUTHORITY SECTION:
acme.lfcode.ca.         300     IN      NS      abyss.lfcode.ca.

;; ADDITIONAL SECTION:
abyss.lfcode.ca.        300     IN      A       50.116.18.138
abyss.lfcode.ca.        300     IN      AAAA    2600:3c00::f03c:91ff:fec8:969e

However, the nameserver itself says:

acme.lfcode.ca.         3600    IN      NS      acme.lfcode.ca.

On its own, that inconsistency causes warnings in DNS checking tools but is harmless.

However, a query for acme.lfcode.ca with most query types says:

acme.lfcode.ca.         3600    IN      CNAME   lfcode.ca.

That’s illegal, for two reasons: The zone apex can’t be a CNAME, and the value of an NS record can’t be a CNAME.

Additionally, a query for the TXT type responds with NXDOMAIN. (Under the circumstances, the resolver probably never happened to make a TXT query and doesn’t know that, but it’s not good.)

Also, none of the responses set the Authoritative Answer bit.

Additionally, TCP doesn’t work. (But the resolver probably had no reason to try it.)

I’m only speculating, but I’d bet that either the CNAME or the AA issue is making 1.1.1.1 unhappy. It could be something else, though.

user5921 · November 8, 2018, 3:52pm

I fixed the NS and now the query works correctly. The rest of it is bugs in acme-dns which I just filed.

Topic		Replies	Views
DNS problem: SERVFAIL looking up A for mydomain.com 1.1.1.1	5	6468	January 17, 2022
SERVFAIL for my domain from 1.1.1.1 and 1.0.0.1 1.1.1.1	9	5154	June 18, 2021
Http://_acme-challenge.xxxxx.xyx/admin General	3	325	April 17, 2024
DNS propagation issues after 5 days DNS & Network	3	1654	August 31, 2022
Cloudflare Acme DNS challenge fails Security	6	7710	December 30, 2021

Bug? SERVFAILs while requesting SOA records from acme-dns hosted domain

Related topics