Internal - Troubleshooting CAA Records: Not Authorized and Error!

July 17, 2018

There are a two main things, with regards to CAA, that can cause the delay in the issuance of a trusted "SSL" certificate. Generally, it is either ALLOWED or NOT ALLOWED and often nothing in between.

  1. Not Authorized!

    • This generally means that another CA (e.g. DigiCert, Let'sEncrypt, Symantec, Thawte, GoDaddy) is listed under "issue" or "issuewild".
      • Steps to confirm:
        1. Check Rob's CAA Log – https://secure.comodo.com/products/rob.caalog?certificateID= ; replace certificateID with the customer's cert ID from SASP.
        2. Ensure that the Cache Until (GMT) column is visible and does not have a strike-through line throughout the cell.
          This is an example of an expired cache of CAA records.
          1. If the above exists, then it's possible that the customer may have updated their CAA records (but not likely) and one will need to use Fix!! button in OMS to fetch new records:
            1. Once "fixed", fresh records should exist and you can resume troubleshooting from the top. (start over)
        3. If Cache Until (GMT) is recent and Not Authorized! still exists, then please click on FQDN, with the problem, in order to get more details.
          1. In the ANSWER section observe the CAA records that are present for the domain. (e.g. comodo.com. 1199 IN CAA 0 issue "comodoca.com" )
          2. If another CA is listed here; then simply advise the customer to have their record updated to one of ours.
            1. Please remember, it is possible for CAA to exist at any point in the DNS hierarchy. (e.g. test.site.mydomain.example.net)
            2. We need to advise the customer at what point it is getting held up so they can have it fixed.
              1. It is important to remember that we also need to follow CNAME & DNAME values that are returned when doing a lookup of these CAA records.This can throw a monkey wrench in to troubleshooting so be on the lookout for these (especially from Universities!)
        4. For a second opinion, view the current CAA record for the requested FQDN on Google's GSuite Toolbox;
          • Observe if any of our allowed CAA records: comodo.com, comodoca.com, usertrust.com, trust-provider.com
            Note: web.com, networksolutions.com & netsolssl.com are not allowed at this time! (as of 20 Nov 2017)
        5. For a shareable option with the customer, you can use: https://www.whatsmydns.net/ as they have a CAA lookup function too. (e.g. https://www.whatsmydns.net/#CAA/comodo.com ; this does a CAA lookup on COMODO.COM)
  2. ERROR!
  • This generally means we've encountered an error when trying to do a CAA lookup against the domain. In almost all cases times this is the "status code" of SERVFAIL returned by the authoritative name servers for the domain and we can't issue until the customer has it fixed.
    • Steps to confirm:
        1. Check Rob's CAA Log – https://secure.comodo.com/products/rob.caalog?certificateID= ; replace certificateID with the customer's cert ID from SASP.
        2. Ensure that the Cache Until (GMT) column is visible and does not have a strike-through line throughout the cell.
          This is an example of an expired cache of CAA records.
          1. If the above exists, then it's possible that the customer may have updated their CAA records (but not likely) and one will need to use Fix!! button in OMS to fetch new records:
            1. Once "fixed", fresh records should exist and you can resume troubleshooting from the top. (start over)
        3. If Cache Until (GMT) is recent and ERROR! still exists, then please click on FQDN, with the problem, in order to get more details.
          1. if no data is returned, then we need to consult a secondary source. (likely means we've hit a SERVFAIL)
          2. Use Google's GSuite Toolbox and look up the errant FQDNs (e.g. www.example.net; example.net, etc.)
          3. If the FQDN's lookup is unsuccessful, the rcode will state SERVFAIL.
          4. An Example of a valid DNSSEC signed response (via Google's GSuite Toolbox)
        4. You will also need to do a lookup against the FQDN(s) using the ANY DNS record type and if the rcode here lists NOERROR then we unfortunately can not issue until the customer has this item addressed.
          An example of the ANY record's rcode returning NOERROR and thus we can not issue (because the CAA lookup for www.example.net FAILED + the rcode for the ANY record returned NOERROR)
        5. In order to show the customer this information – We can provide the customer with Google's GSuite Toolbox and show them the results we're looking at... the ANY + CAA lookups.
          • We can use Google's GSuite Toolbox because it uses their Public DNS (8.8.8.8 / 8.8.4.4) and validates DNSSEC signature chains.
        6. Example Response: "We are contacting you in regards to order # XXXXXXXX. When querying for a CAA record with DNSSEC enabled, order # XXXXXXXX cannot be issued because Google's PublicDNS replies with a SERVFAIL for domain www.webshop.dare2help.nl . <Include lookup results for domain in step #5.> Please have DNSSEC configured correctly in order to have the certificate issued."



Dig records differ

SOLUTION: Customer is using a version of Dig that does not support the use of the CAA record type. (Notice the different in the Question output) They will have to use ‘type257’ for this version, dig/BIND 9.9.6 support “CAA”. -- https://kb.isc.org/article/AA-01210/0/BIND-9.9.6-Release-Notes.html

Customer can also use Google’s GSuite Toolbox and see the SERVFAIL too -- https://toolbox.googleapps.com/apps/dig/#CAA/

There’s also DNSViz.net which can be used too.

PROBLEM: Support tried to duplicate the customer's dig results for drive.edp.com and were unsuccessful. How are we seeing "SERVFAIL" and he's seeing "NOERROR"? We asked him to enter +dnssec before @8.8.8.8 and it didn't make a difference. The outputs and screenshots are provided below.

Customer's Output:

administrator@mint-173-32 ~/.mozilla/firefox $ dig CAA drive.edp.com @8.8.8.8

; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> CAA drive.edp.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10898
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;CAA. IN A

;; Query time: 76 msec
;; SERVER: 192.168.43.1#53(192.168.43.1)
;; WHEN: Thu Jan 11 18:56:16 WET 2018
;; MSG SIZE rcvd: 21

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56504
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;drive.edp.com. IN A

;; ANSWER SECTION:
drive.edp.com. 3599 IN A 213.58.166.235

;; Query time: 308 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 11 18:56:16 WET 2018
;; MSG SIZE rcvd: 58

administrator@mint-173-32 ~/.mozilla/firefox $
administrator@mint-173-32 ~/.mozilla/firefox $
administrator@mint-173-32 ~/.mozilla/firefox $
administrator@mint-173-32 ~/.mozilla/firefox $ dig CAA drive.edp.com @dns1.host-redirect.com

; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> CAA drive.edp.com @dns1.host-redirect.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3359
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;CAA. IN A

;; Query time: 3 msec
;; SERVER: 192.168.43.1#53(192.168.43.1)
;; WHEN: Thu Jan 11 18:56:40 WET 2018
;; MSG SIZE rcvd: 21

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28993
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;drive.edp.com. IN A

;; ANSWER SECTION:
drive.edp.com. 3600 IN A 213.58.166.235

;; Query time: 48 msec
;; SERVER: 91.198.47.1#53(91.198.47.1)
;; WHEN: Thu Jan 11 18:56:40 WET 2018
;; MSG SIZE rcvd: 58

administrator@mint-173-32 ~/.mozilla/firefox $ dig CAA drive.edp.com @dns2.host-redirect.com

; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> CAA drive.edp.com @dns2.host-redirect.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8557
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;CAA. IN A

;; Query time: 80 msec
;; SERVER: 192.168.43.1#53(192.168.43.1)
;; WHEN: Thu Jan 11 18:56:47 WET 2018
;; MSG SIZE rcvd: 21

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26499
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;drive.edp.com. IN A

;; ANSWER SECTION:
drive.edp.com. 3600 IN A 213.58.166.235

;; Query time: 328 msec
;; SERVER: 194.8.30.2#53(194.8.30.2)
;; WHEN: Thu Jan 11 18:56:47 WET 2018
;; MSG SIZE rcvd: 58

administrator@mint-173-32 ~/.mozilla/firefox $ dig CAA drive.edp.com @9.9.9.9

; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> CAA drive.edp.com @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27914
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;CAA. IN A

;; Query time: 7 msec
;; SERVER: 192.168.43.1#53(192.168.43.1)
;; WHEN: Thu Jan 11 18:57:31 WET 2018
;; MSG SIZE rcvd: 21

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30443
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;drive.edp.com. IN A

;; ANSWER SECTION:
drive.edp.com. 3600 IN A 213.58.166.235

;; Query time: 428 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Thu Jan 11 18:57:31 WET 2018
;; MSG SIZE rcvd: 58

administrator@mint-173-32 ~/.mozilla/firefox $ dig CAA drive.edp.com @8.8.8.8

; <<>> DiG 9.9.5-3ubuntu0.16-Ubuntu <<>> CAA drive.edp.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12971
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;CAA. IN A

;; Query time: 122 msec
;; SERVER: 192.168.43.1#53(192.168.43.1)
;; WHEN: Thu Jan 11 18:59:04 WET 2018
;; MSG SIZE rcvd: 21

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48670
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;drive.edp.com. IN A

;; ANSWER SECTION:
drive.edp.com. 3599 IN A 213.58.166.235

;; Query time: 328 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 11 18:59:05 WET 2018
;; MSG SIZE rcvd: 58

Support's Output:

<<>> DiG 9.10.5-P3 <<>> CAA drive.edp.com +dnssec @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59542
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;drive.edp.com. IN CAA

;; Query time: 138 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 11 15:08:34 Eastern Standard Time 2018
;; MSG SIZE rcvd: 42