0

I moved my domain to Route53 and am now getting problems with Certbot renewal. Certbot has been running great for 4 years, but is now failing to renew.

When running sudo certbot renew --apache i get this error:

   Type:   None
   Detail: DNS problem: looking up A for somedomain.com: DNSSEC:
   DNSKEY Missing; DNS problem: looking up AAAA for
   somedomain.com: DNSSEC: DNSKEY Missing

DNSSEC is not, and hasn't ever been enabled for that domain in Route53, so not sure why Certbot fails.

I am at a loss here and would really like to use Route53 instead of the old domain manager.

EDIT: It looks like DNSSEC was activated by default for .se domains in the old domain manager (Loopia).

This is what i see under Registered domains in Route 53:

Registered domains

Using Ubuntu/Apache/python3-certbot-apache

UPDATE: I removed the record in Route53 Registered domains, but now i'm getting this error instead:

   Detail: DNS problem: looking up A for somedomain.com: DNSSEC:
   DNSKEY Missing; DNS problem: looking up AAAA for
   somedomain.com: DNSSEC: Bogus
Improve this question
2
  • 2
    DNSSEC is not, and hasn't ever been enabled for that domain in Route53 - did you used to have DNSSEC set up?
    – Jaromanda X
    Jul 30 at 4:47
  • In the old domain manager it looks like DNSSEC was enabled by default. I just did a domain transfer to Route53, copied all the DNS records and changed name servers and thought that was it. Any help is really appreciated.
    – Malako
    Jul 30 at 14:58

2 Answers 2

Reset to default
1

It looks like DNSSEC was activated by default for .se domains in the old domain manager (Loopia).

It sounds like you need to either remove the DS record if you don't want to have the zone signed, or otherwise sign the zone and update the DS record to reflect the current DNSKEY.

The DS record is part of the delegation (parent zone) and is managed through your registrar.

Improve this answer
5
  • I added a screenshot to the question just to make sure I am on the right track. I should delete this record right? I don't want to enable DNSSEC for now.
    – Malako
    Jul 30 at 15:42
  • @Malako Looks reasonable to me, if this is in the registrar section of Route53.
    – Håkan Lindqvist
    Jul 30 at 16:19
  • I deleted the record but nom i'm getting another error - question updated. Thanks a lot for your taking your time Håkan, I really appreciate it!
    – Malako
    Jul 30 at 19:50
  • @Malako That looks like the same error, no? It could just be a caching problem, but hard to tell from my end. Maybe see what dnsviz.net says?
    – Håkan Lindqvist
    Jul 30 at 20:14
  • Hi Håkan. For A record it's the same, for AAAA it's different. I will try again this evening.
    – Malako
    Jul 31 at 5:54
0

I am running into the same issue.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-disable.html

This link mentions how to disable DNSSEC signing for the hosted zone but doesn't show how to have DNSSEC Status as "Not configured" for the registered domain.

Were you able to figure this out? Did deleting the DNSSEC key solve the issue for you?

Improve this answer
1
  • a links ia great but could get invalid. please copy the relevant parts and keep it as plain text and keep the link as reference. as for now the answers is not yet valid ;)
    – djdomi
    Oct 21 at 7:14

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .