edgealpha.us.kg
I am the administrator for the US.KG zone. US.KG is a domain added to the PSL list. Based on my own testing and reports from many users, Recently hosting this domain on Cloudflare results in an inability to issue SSL certificates (Edge Certificates remain stuck at Pending Validation (TXT)). Any assistance would be greatly appreciated!
Checking the domain, seems these 4 nameservers might have a problem…
US.KG. 1800 IN NS NS3.DIGITALPLAT.ORG.
US.KG. 1800 IN NS NS2.DIGITALPLAT.ORG.
US.KG. 1800 IN NS NS4.DIGITALPLAT.ORG.
US.KG. 1800 IN NS NS1.DIGITALPLAT.ORG.
ns1 and ns2 seem slow, sometimes timing out, ns3 and ns4 are not responding (to me anyway).
Thank you for your reply, but I don’t think this is a DNS issue (as domain names and record values are being resolved correctly). I suspect that the Google certificate might not have included the PSL domain, resulting in issuance restrictions. I will upgrade the DNS server and try again. Thank you.
I upgraded the primary DNS server, but the issue persists. Cloudflare’s resolution took effect quickly, but the Edge certificate still couldn’t be issued.
I believe this issue is related to the Cloudflare or Google certificate. Any assistance would be greatly appreciated!
(I suspect Google might have issued too many certificates for this domain without considering the PSL list, causing restrictions.)
I’m still having problems resolving your domain through a trace rather than a caching resolver, which is what a CA would be doing as well to get the latest IP address without TTL issues. It may just be me (I’m in the UK), someone else may know if this is the issue or something else.
US.KG. 1800 IN NS NS3.DIGITALPLAT.ORG.
US.KG. 1800 IN NS NS2.DIGITALPLAT.ORG.
US.KG. 1800 IN NS NS4.DIGITALPLAT.ORG.
US.KG. 1800 IN NS NS1.DIGITALPLAT.ORG.
US.KG. 1800 IN NSEC USA.kg. NS RRSIG NSEC
US.KG. 1800 IN RRSIG NSEC 8 2 1800 20241231235955 20240715143013 3529 kg. Jt+uxm5EMD7e9IHcWvtJhq4ICAAJjUwbbl9PapZmc8KYgFY5Gi3V8tyT al+XH3d47yeCK/65hk9mpyW5/YW+9WD7iH6ywTheXh/zQ3lJoUgWQnQ8 bp1+sL/VeIuZACsir8hxCxHEqTuP/2Pe3n9Bh9v5+XrP891AM15+WXMn z+ZZMKYRXm9mcMOJMXAWf85ChdfBWJZIbWrEELzrVu8GVBL2caO6WHBJ gtV7i0kO/jIhz5CNPMpq44qwD8R4fGbWhR1wlfyd10GQ5cMxvB6YmUHT 35jlnRO+QAs4OR5GBiMv2t/Exb8SWxP8X0ZNdzE8eCQ9vs2d0eDvndZf rzpbpA==
;; Received 482 bytes from 2a11:a380::195:38:160:38#53(ns2.kg) in 95 ms
;; communications error to 192.9.243.240#53: timed out
;; communications error to 192.9.243.240#53: timed out
;; communications error to 192.9.243.240#53: timed out
;; communications error to 192.9.243.240#53: timed out
;; communications error to 150.230.46.101#53: timed out
;; communications error to 142.171.123.133#53: timed out
;; no servers could be reached
https://cf.sjr.org.uk/tools/check?d0e3b3191ecc4d5b887f845b9bdfb5ec#dns
I can confirm this from my end:
US.KG. 1800 IN NS NS3.DIGITALPLAT.ORG.
US.KG. 1800 IN NS NS2.DIGITALPLAT.ORG.
US.KG. 1800 IN NS NS4.DIGITALPLAT.ORG.
US.KG. 1800 IN NS NS1.DIGITALPLAT.ORG.
;; Received 164 bytes from 2a11:a380::195:38:160:38#53(ns2.kg) in 64 ms
;; communications error to 142.171.123.133#53: timed out
;; communications error to 142.171.123.133#53: timed out
;; communications error to 142.171.123.133#53: timed out
;; communications error to 192.9.243.240#53: timed out
;; communications error to 150.230.46.101#53: timed out
;; communications error to 192.9.243.240#53: timed out
;; no servers could be reached
;; communications error to 192.9.243.240#53: timed out
;; communications error to 192.9.243.240#53: timed out
;; communications error to 192.9.243.240#53: timed out
;; communications error to 142.171.123.133#53: timed out
edgealpha.us.kg. 3600 IN NS cody.ns.cloudflare.com.
edgealpha.us.kg. 3600 IN NS karina.ns.cloudflare.com.
;; Received 129 bytes from 150.230.46.101#53(NS2.DIGITALPLAT.ORG) in 176 ms
edgealpha.us.kg. 300 IN A 172.67.211.95
edgealpha.us.kg. 300 IN A 104.21.91.70
;; Received 76 bytes from 173.245.59.107#53(cody.ns.cloudflare.com) in 20 ms
The nameservers for the us.kg zone time out most of the time, responses are very sporadic, which is likely to cause issues.
Update:
I confirmed that the issue lies with Google CA. I switched to Let’s Encrypt through the API, and it only took 5 minutes to issue the certificate. I think the problem might be due to too many newly registered domains being restricted by Google CA
Cloudflare has been preferring GTS recently due to the LE cross-signing expiration issue, so it won’t be that as they will have been pushing huge numbers of certs through GTS. More likely LE were lucky and got a response from the us.kg nameservers through their wobbliness.
Anyway, your us.kg nameservers need looking at. Try them yourself. As @Laudian puts it, responses are very sporadic.
Okay, thank you very much for your help! :))
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.
