Tag Archives: Linux How to

Unix Similar multi-user operating systems based on the Linux kernel and essentially on GNU software. Like CentOS, Debian, Ubuntu Fedora.

DIG WARNING: recursion requested but not available

You may get a warning when trying to query with dig, WARNING: recursion requested but not available.

; <<>> DiG 9.16.37-Debian <<>> domain.tld
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 34429
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

which does dig recursion requested?

DIG sends DNS COOKIE option, this option is enabled by default starting with BIND 9.11. Unfortunately. The query with this option means that the DNS server, often older Windows DNS servers. Treats the request as incorrect, or does not understand the query, which means that the request is rejected.

A workaround can be to pass the+nocookieor+noedns to disable the EDNS option.

$ dig domain.tld +nocookie

The message recursion requested appear, but the dig request is resolved.

dig commands return one or multiple sections of information about the hostname’s DNS records depending on the syntax of your query. In the example below, dig returned results for the query dig time.google.com +nocookie

$ dig time.google.com +nocookie

; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> time.google.com +nocookie
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31915
;; flags: qr rd ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;time.google.com.               IN      A

;; ANSWER SECTION:
time.google.com.        0       IN      A       216.239.35.4
time.google.com.        0       IN      A       216.239.35.8
time.google.com.        0       IN      A       216.239.35.12
time.google.com.        0       IN      A       216.239.35.0

;; Query time: 9 msec
;; SERVER: 172.17.64.1#53(172.17.64.1) (UDP)
;; WHEN: Sun Aug 06 13:02:12 CEST 2023
;; MSG SIZE  rcvd: 112
dig recursion requested but not available

what is dig?

dig is a robust command-line tool developed by BIND for querying DNS nameservers. It can identify IP address records, record the query route as it obtains answers from an authoritative nameserver. Using Diagnostic and other DNS issues. Use with or without EDNS option for recursion requested.

You can install dig on most operating systems by downloading the latest version of BIND 9 from BIND’s website. And from the command line using a package manager.

Installing dig

To install dig for Windows, go to BIND’s website and download the most current version of BIND 9. Extract the downloaded file and double-click the BIND install icon in the newly created directory.

On the BIND 9 Installer screen, verify that the target directory is set to C:\Program Files\ISC BIND 9 (or C:\Program Files (x86)\ISC BIND 9 if you are using an x86 architecture) and select the Tools Only check box. Then click Install.

Dig is a part of DNS utility package that often gets installed with BIND name servers. You can also install the utility package on Debian Linux that contains dig with ran apt-get install dnsutils

How to Check Lets Encrypt Certificate Expiry Date

When using Let’s Encrypt certificates, which are provided via Certbot and the ACME protocol by the ACME client software, known as Certbot for Linux operating systems, it is intended to check expiry date that the certificates must be renewed every 90 days before they expire.

Many of us are familiar with the e-mail: Let’s Encrypt certificate expiration notice for domain.

Your certificate (or certificates) for the names listed below will expire in 20 days (on 31 Mar 23 08:33 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

myhost.example.tld

So let’s see the options, using commands in examples, to get the expiry date of Let’s Encrypt certificates to renew them by certbot in time for our myhost server before they expire and become invalid.

Check Certificates Expiry Date

To view a list of the certificates Certbot knows about, run the certificates subcommand in the terminal shell:

$ sudo certbot certificates

This returns details similar as follows, along with the Expiry Date:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: myhost.domain.org
    Domains: myhost.domain.org
    Expiry Date: 2023-03-26 08:39:39+00:00 (VALID: 14 days)
    Certificate Path: /etc/letsencryp/live/myhost.example.tld/fullchain.pem
    Private Key Path: /etc/letsencryp/live/myhost.example.tld/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Let’s see how the expiry date of any certificate can be queried, so not just only Let’s Encrypt certificates.

$ sudo openssl x509 -dates -noout < /etc/letsencrypt/live/myhost.example.tld/cert.pem

This command, running in a Linux terminal, displays the expiration date of each certificate, according to the ITU-T standard specifications for X.509 digital certificates.

Renew Let’s Encrypt Certificates use Certbot

The Let’s Encrypt certificates can be renewed before they expire using this command.

$ sudo certbot renew

Next the Let’s Encrypt certificate is only renewed for the domain domain.org and it’s hostname myhost.example.tld, using the apache2 webserver.

$ sudo certbot --apache -d example.tld -d myhost.example.tld

The Let’s Encrypt certificate should only be renewed for the hostname myhost.example.tld.

e.g. using various services such as an SMTP mail transport agent that uses starttls.

$ sudo certbot --standalone certonly -d myhost.example.tld

The mission is to create a more secure and privacy-respecting World-Wide Web by promoting the widespread adoption of HTTPS.

Let’s Encrypt certificates are valid for 90 days, during which renewal can take place at any time. This is handled by an automated process designed to overcome manual creatio. Validation, signing, installation, and renewal of certificates for secure websites.

The project claims its goal is to make encrypted connections to World Wide Web servers ubiquitous. By eliminating payment, web server configuration, validation email management and certificate renewal tasks. It is meant to significantly lower the complexity of setting up and maintaining TLS encryption.