Let’s Encrypt fails to validate DNSSEC for CAA record

Managed DNS Hosting
1

Hello,

this issue seems to have started sometime in November or December. For domains with DNSSEC enabled, Let’s Encrypt fails to issue certificates because DNSSEC validation for the CAA records fails:

Renewing an existing certificate for baka.computer and www.baka.computer
Waiting 300 seconds for DNS changes to propagate

Certbot failed to authenticate some domains (authenticator: dns-desec). The Certificate Authority reported these problems:
  Domain: baka.computer
  Type:   dns
  Detail: While processing CAA for baka.computer: DNS problem: looking up CAA for baka.computer: DNSS
EC: Bogus: validation failure <baka.computer. CAA IN>: signature crypto failed from 2607:f740:e633:deec::2

  Domain: www.baka.computer
  Type:   dns
  Detail: While processing CAA for www.baka.computer: DNS problem: looking up CAA for baka.computer:
DNSSEC: Bogus: validation failure <baka.computer. CAA IN>: signature crypto failed from 45.54.76.1

Hint: The Certificate Authority failed to verify the DNS TXT records created by --dns-desec. Ensure the above domains are hosted by this DNS provider, or try increasing --dns-desec-propagation-seconds (currently 300 seconds).

Failed to renew certificate baka.computer with error: Some challenges have failed.

Let’s Debug reports the same issue https://letsdebug.net/baka.computer/2675160

but unboundtest https://unboundtest.com/m/CAA/baka.computer/2542WQ75

or simply dig +dnssec @ns1.desec.io _acme-challenge.baka.computer TXTdon’t seem to show any issues.

I have no idea if this is a deSEC issue, but don’t honestly know where else to start troubleshooting.

2

Hi aho,

Thanks for your message, and welcome to deSEC! :slight_smile:

As I could not immediately see an issue, I reran the test from https://letsdebug.net/baka.computer/2675160, and indeed there is no issue now: https://letsdebug.net/baka.computer/2675292

In fact, that domain does not have a CAA record at all.

Your post sounds like there was one when you ran the test. If you’ve removed it in the meantime, we unfortunately cannot investigate the problem further.

In general, it’s best to contact our support address when there’s a problem, and avoid touching the domain in the meantime.

Stay secure,
Peter

1 Like
3

Yes, sorry, I removed them momentarily to get certificates renewed. The unboundtest link shows the record as it was at the time of posting. I have restored the CAA records and the issue should be back as it was.

4

Thank you. This looks like a bug in PowerDNS (which is our signer); we’re in touch with them to figure out what’s going on.

One of the published records is 0 issuewild "\000". I’m not sure whether this is the bug or whether this is correct normalization, but it definitely looks a bit odd. We’ll keep you posted.

The intention of this configuration probably is that you want to prevent issuance of wildcard certificates. The correct configuration for not allowing issuance is ";" (both for issue and issuewild, see RFC 8659 Section 4.2 and 4.3). I wouldn’t be surprised if the empty value actually is invalid. (If that is the case, we should have rejected it during creation.)

Anyway, we’re debugging – while this is going on, we’d like to ask you to not touch this record for the moment, if that is acceptable to you. Thank you!

Stay secure,
Peter

1 Like