none
Problem with Certificate Renewal - CAA Query Windows Server 2012 RRS feed

  • Question

  • Hello all,

    Im having problem with CAA queries on my external DNS server. I am getting ‘SERVFAIL’ as response, but it should give me ‘NOERROR’ as reply.I dont have any CAA records on my zone, so the server should answer the query with a NOERROR result; this way, the CA would understand and generate the certificate.

    Server info:
    SO: Windows Server 2012 Datacenter
    Role: External DNS
    Windows Firewall: OFF

    I am using a web based dig tool and Im gettin the following results when run a CAA query (mycompany.com.br and anothercompany.com.br are fictitious names):

    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> CAA +additional mycompany.com.br@8.8.4.4
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10867
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;mycompany.com.br. IN CAA

    ;; Query time: 3 msec
    ;; SERVER: 8.8.4.4#53(8.8.4.4)
    ;; WHEN: Fri Oct 6 17:16:51 2017
    ;; MSG SIZE rcvd: 32

    The answer it should gave me is something like this:

    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> CAA +additional anothercompany.com.br@8.8.4.4
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37136
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;anothercompany.com.br. IN CAA

    ;; AUTHORITY SECTION:
    anothercompany.com.br. 1791 IN SOA ns1.anothercompany.com.brhostmaster.anothercompany.com. 2012050722 900 600 86400 3600

    ;; Query time: 12 msec
    ;; SERVER: 8.8.4.4#53(8.8.4.4)
    ;; WHEN: Fri Oct 6 17:16:46 2017
    ;; MSG SIZE rcvd: 98

    Other queries, like A, ANY or SOA, works perffectly.

    I asked for a verification on firewall but the owners said me that there’s no problem with ‘query blocking’ on their side…
    Does anybody have an idea of what to do next?

    Thanks all !


    Vitor Malafaia


    Friday, October 6, 2017 3:39 PM

All replies

  • Hi,

    Based on the complexity and the specific situation, we need do more researches. If we have any updates or any thoughts about this issue, we will keep you posted as soon as possible. Your kind understanding is appreciated. If you have further information during this period, you could post it on the forum, which help us understand and analyze this issue comprehensively.
    Sorry for the inconvenience and thank you for your understanding and patience.
    Best Regards,

    Frank

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 9, 2017 10:01 AM