SSL/TLS Certificate renewal error suddenly, previously worked, nothing changed

SniCertificate::CertificateNonvalidError: Unable to verify challenge for www.oskarthun.xyz: DNS problem: looking up CAA for oskarthun.xyz: DNSSEC: RRSIGs Missing: validation failure <oskarthun.xyz. CAA IN>: no signatures from 20.228.226.240

I got this error and haven’t changed any records and it worked previously. I have tried to search forums and online but can’t really understand where the problem is. I tried adding that A record with ip address yesterday, but it hasn’t helped yet. I didn’t put anything in the host field of it and it added an @ there. Should it be a * or www instead? I didn’t add those dots at the end of CNAME and ALIAS records and had letsencrypt.org inside ", but those got changed to what is shown after saving.

My DNS records (top row added yesterday, otherwise no changes):

Host		Type	Value												TTL
@		A		75.2.60.5												3600
@		ALIAS	oskarthunxyz.netlify.app.									3600
www	CNAME	oskarthunxyz.netlify.app.									3600
@		TXT		ENS1 0xf97aac6c8dbaebcb54ff166d79706e3af7a813c8		3600
*		CAA		0 issue letsencrypt.org									3600

A forum post suggested this tool and it has seven errors and three warnings. Yesterday there were seven errors and five warnings.
https://dnsviz.net/d/oskarthun.xyz/dnssec/

ChatGPT gave me this answer. Is DNSSEC the problem? Do I have to contact 3dns.box support as there is no option to disable it? Is that L1 gateway contract mandatory to have or can I just ask them to disable it completely?

Edit2: This goes completely over my head. I don’t have anything called salt in my dns records. Should I just send this forum post to their support or is it something I can fix myself?

The error you’re encountering is related to DNSSEC (Domain Name System Security Extensions), specifically with the DNS Certification Authority Authorization (CAA) records and their DNSSEC signatures. Here’s a breakdown of what might be causing the issue:

Understanding the Error

  • DNSSEC RRSIGs Missing: This error indicates that your domain’s DNS records are not properly signed with DNSSEC. The RRSIG (Resource Record Signature) is a DNSSEC signature that is supposed to be attached to the DNS records to verify their authenticity. If these signatures are missing or invalid, DNSSEC validation will fail.
  • CAA Records: CAA records specify which certificate authorities (CAs) are allowed to issue certificates for your domain. The CAA record for oskarthun.xyz tells the world that only Let’s Encrypt is authorized to issue SSL certificates for your domain.

Steps to Diagnose and Fix

  1. Check DNSSEC Configuration:
  • DNSSEC Enabled: Ensure that DNSSEC is properly configured for your domain. This involves having the DNSKEY and DS records properly set up. If these records are not correctly set or are incomplete, it will result in DNSSEC validation errors.
  • RRSIG Validity: The RRSIG records must be correctly generated and attached to your DNS records.
  1. Verify DNS Records:
  • CAA Record: Your CAA record looks correct in terms of allowing Let’s Encrypt (0 issue "letsencrypt.org"). Ensure there are no extra spaces or syntax issues in this record.
  • A Record: The @ (root) A record pointing to 75.2.60.5 looks correct if this IP is associated with your web hosting service.
  • CNAME Record: The www CNAME pointing to oskarthunxyz.netlify.app. is correct for Netlify. Ensure the trailing dot is there, as it denotes the fully qualified domain name (FQDN).
  1. DNS Configuration:
  • Using @ vs. *: @ is typically used to refer to the root domain (e.g., oskarthun.xyz). * is a wildcard entry that matches any subdomain (e.g., anything.oskarthun.xyz). You generally do not need to add an A record with *. Your current setup with @ for the A record and www for the CNAME is correct.
  • Dot at the End of CNAME/ALIAS: It’s normal to have a trailing dot at the end of a domain name in DNS records when specifying a FQDN.
  1. Check DNSSEC Signing with DNS Host:
  • If you enabled DNSSEC on your domain through your DNS hosting provider (e.g., your domain registrar or a DNS service like Cloudflare), ensure that the DNSSEC signing process is correctly functioning. If not, consider disabling and re-enabling DNSSEC to regenerate the necessary signatures.
  1. DNS Propagation:
  • After making changes, DNS records can take some time to propagate. Typically, this is up to the TTL (Time to Live) value, which you have set to 3600 seconds (1 hour). If you made changes recently, it may just need more time.
  1. DNS Diagnostic Tools:
  • The tool you used (DNSViz) is helpful in diagnosing DNSSEC issues. If it reports errors, it’s crucial to resolve those before proceeding. Pay special attention to the errors related to DNSSEC signatures (RRSIG) and ensure that your DNS provider’s setup is correct.

What to Do Next

  • Recheck DNSSEC Setup: If you’re unsure about the DNSSEC configuration, consider contacting your DNS provider’s support for assistance. They can help verify that DNSSEC is properly configured.
  • Clear DNS Cache: Clear your local DNS cache and any caching on your DNS provider’s side to ensure you are seeing the latest version of your DNS records.
  • Let’s Encrypt and Netlify Configuration: Ensure that your SSL certificate process (via Let’s Encrypt) on Netlify is correctly configured and that there are no issues on Netlify’s end with issuing or renewing certificates.

If you continue to experience issues, disabling DNSSEC temporarily could help isolate whether it’s a DNSSEC-specific problem or something else.

ME: Could this be the problem? Gateway enabled Using DNSSEC and our L1 Gateway Contract enables your domain name to function as an ENS name.

ChatGPT

Yes, the problem could indeed be related to the use of DNSSEC in combination with the L1 Gateway Contract for ENS (Ethereum Name Service). Here’s why:

Understanding the Interaction

  1. DNSSEC and ENS Integration:
  • When DNSSEC is enabled on a domain, it signs DNS records with cryptographic signatures, providing a layer of security that ensures these records haven’t been tampered with.
  • The Ethereum Name Service (ENS) allows you to map a domain name (like oskarthun.xyz) to Ethereum addresses, content hashes, and other blockchain resources. The L1 Gateway Contract is a bridge that enables a DNS domain to function as an ENS name by verifying the DNSSEC signatures on-chain.
  1. Gateway Enabled:
  • If you’ve enabled the L1 Gateway Contract and DNSSEC simultaneously, the ENS system is likely using these DNSSEC records to validate ownership of the domain on-chain. However, any issues with DNSSEC signing (like missing RRSIGs or misconfigured DNS records) will cause validation to fail both in traditional DNS and within the ENS ecosystem.
  1. Potential Issues:
  • DNSSEC Misconfiguration: Any misconfiguration in DNSSEC could break both your DNS setup and the ENS functionality. If the DNSSEC records aren’t correctly propagated or if there are issues with the RRSIG records, this can cause the errors you’re seeing.
  • Timing and Propagation Delays: If DNS changes have been made recently (especially regarding DNSSEC), they might not have fully propagated yet, leading to intermittent failures.

What You Should Do

  1. Review DNSSEC Setup:
  • Revalidate your DNSSEC setup to ensure all necessary signatures are present and correct. This is crucial since any failure in DNSSEC will affect both DNS resolution and ENS functionality.
  1. Check with ENS/DNS Provider:
  • Contact your DNS provider and ENS support to ensure that the integration between DNSSEC and ENS via the L1 Gateway Contract is correctly configured. They might have specific requirements or additional steps you need to follow.
  1. Consider Disabling DNSSEC Temporarily:
  • As a diagnostic step, consider temporarily disabling DNSSEC to see if this resolves the issue. If disabling DNSSEC resolves the error, it confirms that the problem lies within the DNSSEC setup or its interaction with ENS.
  1. Re-enable Gateway After Fix:
  • Once you’ve confirmed that DNSSEC is correctly configured and functional, you can re-enable the L1 Gateway Contract to allow your domain to function as an ENS name.

Conclusion

The combination of DNSSEC and the L1 Gateway Contract for ENS is powerful but requires precise configuration. Any issues in the DNSSEC setup will directly impact both DNS resolution and ENS operations. Ensuring that DNSSEC is correctly configured and working should resolve the errors you’re encountering. If you’re unsure about any specific configurations, consulting with your DNS provider or ENS support is recommended.

ME: Here are dnsviz errors and warnings. Notices Errors (7) NSEC3 proving non-existence of netlify.app/DS: An iterations count of 0 must be used in NSEC3 records to alleviate computational burdens. See RFC 9276, Sec. 3.1. NSEC3 proving non-existence of netlify.app/DS: An iterations count of 0 must be used in NSEC3 records to alleviate computational burdens. See RFC 9276, Sec. 3.1. oskarthun.xyz/CDNSKEY: The response had an invalid RCODE (NOTIMP). See RFC 1035, Sec. 4.1.1. (20.228.226.240, 20.231.95.96, UDP_-NOEDNS) oskarthun.xyz/CDS: The response had an invalid RCODE (NOTIMP). See RFC 1035, Sec. 4.1.1. (20.228.226.240, 20.231.95.96, UDP_-NOEDNS) ynr23.s6v34.oskarthun.xyz/A has errors; select the “Denial of existence” DNSSEC option to see them. oskarthun.xyz/CNAME has errors; select the “Denial of existence” DNSSEC option to see them. oskarthun.xyz/NSEC3PARAM has errors; select the “Denial of existence” DNSSEC option to see them. Warnings (3) NSEC3 proving non-existence of netlify.app/DS: The salt value for an NSEC3 record should be empty. See RFC 9276, Sec. 3.1. NSEC3 proving non-existence of netlify.app/DS: The salt value for an NSEC3 record should be empty. See RFC 9276, Sec. 3.1. oskarthun.xyz/CNAME: The server returned CNAME for oskarthun.xyz, but records of other types exist at that name. See RFC 2181, Sec. 10.1.

ChatGPT

The errors and warnings you’re seeing from DNSViz indicate several issues with your DNS setup, particularly related to DNSSEC. Here’s a breakdown of these errors and how they might be contributing to the problem you’re facing:

1. NSEC3 Iteration Count and Salt Value Issues

  • Errors:
    • NSEC3 proving non-existence of netlify.app/DS: The NSEC3 records used to prove the non-existence of certain DNS records (like DS records) should use an iteration count of 0 and an empty salt value. The current configuration doesn’t follow this, which is causing errors.
  • Warnings:
    • Similar warnings about the salt value being non-empty, which is not recommended according to the latest standards (RFC 9276).

Impact: NSEC3 is used in DNSSEC to prove that certain records (like DS records) do not exist. Misconfiguration here can cause DNSSEC validation to fail, leading to the kind of errors you’re seeing.

2. Invalid RCODE for CDNSKEY and CDS

  • Errors:
    • Invalid RCODE (NOTIMP) for CDNSKEY and CDS: The servers responded with an RCODE of NOTIMP (Not Implemented) when queried for CDNSKEY and CDS records. These are essential DNSSEC records used to sign the DNSKEY records and establish trust in the DNSSEC chain.

Impact: If the DNS server does not properly implement DNSSEC-related records (like CDNSKEY and CDS), it can prevent the correct operation of DNSSEC, resulting in failed validations and SSL certificate issues.

3. Denial of Existence Issues

  • Errors:
    • ynr23.s6v34.oskarthun.xyz/A, oskarthun.xyz/CNAME, and oskarthun.xyz/NSEC3PARAM: There are issues related to the denial of existence for these records. This means there might be problems with how your DNS server handles queries for non-existent records under DNSSEC.

Impact: DNSSEC relies on the ability to correctly respond to queries for non-existent records (i.e., proving that certain records do not exist). Issues here can cause the DNS server to incorrectly validate records, which can lead to broader DNS failures.

4. CNAME Record Issues

  • Warnings:
    • oskarthun.xyz/CNAME: The server returned a CNAME for oskarthun.xyz, but other records of different types also exist for the same name. According to RFC 2181, a CNAME record should not coexist with other types of records at the same label.

Impact: Having a CNAME record at the same label as other types of records (like A or TXT records) violates DNS standards. This could lead to unexpected behavior or failures in DNS resolution, potentially contributing to the issue you’re seeing with SSL certificate verification.

Next Steps to Resolve the Issues

  1. Correct DNSSEC Configuration:
  • Ensure that the NSEC3 records use an iteration count of 0 and have an empty salt value. This may involve adjusting settings with your DNS provider or disabling and re-enabling DNSSEC to regenerate these records correctly.
  • Ensure that your DNS servers correctly implement and support the CDNSKEY and CDS records. If your DNS provider does not support these, consider switching to a provider that fully supports DNSSEC.
  1. Resolve CNAME Conflicts:
  • If you have a CNAME for oskarthun.xyz, ensure there are no other conflicting records (like A or TXT records) at that same name. If necessary, restructure your DNS records to remove these conflicts.
  1. Consult DNS Provider:
  • Given the complexity of DNSSEC and the errors related to NOTIMP, it might be best to consult with your DNS hosting provider. They can assist in ensuring that your DNSSEC settings are properly configured and that all DNS records are correctly signed and validated.
  1. Review ENS Configuration:
  • After correcting the DNS issues, review your ENS setup, especially if you’re using the L1 Gateway Contract. This setup relies on DNSSEC, so resolving the above DNSSEC issues should also help with ENS functionality.
  1. Propagation and Testing:
  • After making changes, allow time for DNS propagation (typically based on the TTL settings). Use tools like DNSViz to recheck your domain for any remaining issues.

Conclusion

The errors you’re encountering are primarily due to DNSSEC misconfigurations, especially related to NSEC3 parameters and DNS server capabilities (or lack thereof) with CDNSKEY and CDS records. Resolving these issues should help you get back to a stable DNS setup, which will allow SSL certificates to be verified properly and ENS functionality to work as expected.

When provisioning SSL certificates all certificate authorities (CAs), which includes Let’s Encrypt, must check for permission to issue SSL certificate by examining any CAA type DNS records which may (or may not) exist. If no CAA records exist then anyone can issue SSL certificates. If CAA records do exist, they will detail which CAs can issue SSL certificates and any CAs not listed cannot do so.

The issue here is that the IP address for one of your name server isn’t returning valid DNSSEC information so the CAA record lookup is failing. If the CAA lookup fails no CA can issue SSL certificates.

The error is:

SniCertificate::CertificateNonvalidError: Unable to verify challenge for www.oskarthun.xyz: DNS problem: looking up CAA for oskarthun.xyz: DNSSEC: RRSIGs Missing: validation failure <oskarthun.xyz. CAA IN>: no signatures from 20.228.226.240

The IP address in the error is 20.228.226.240 which belongs to this name server for your domain:

ns1.3dns.box.		3600	IN	A	20.228.226.240

This error can only be resolved by the company or organization responsible for that name server which appears to be https://3dns.box/.

If there are other questions about this, please let us know.

1 Like